** UNSUPPORTED WHEN ASSIGNED **

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.

This issue affects Apache Tiles from version 2 onwards.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 20 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-11-20T18:12:54.281Z

Reserved: 2023-11-30T13:12:38.604Z

Link: CVE-2023-49735

cve-icon Vulnrichment

Updated: 2024-08-02T22:01:25.684Z

cve-icon NVD

Status : Modified

Published: 2023-11-30T22:15:09.123

Modified: 2024-11-21T08:33:45.020

Link: CVE-2023-49735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.