CVE-2023-49735: 
Java vulnerability analysis and mitigation

A security vulnerability identified as CVE-2023-49735 affects Apache Tiles from version 2 onwards. The vulnerability stems from the DefaultLocaleResolver.LOCALE_KEY attribute on the session not being properly validated during XML definition file resolution. This vulnerability was disclosed on November 30, 2023, and has been marked as 'UNSUPPORTED WHEN ASSIGNED' as it affects products no longer maintained (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). The issue can lead to path traversal and potentially SSRF/XXE vulnerabilities when user-controlled data is passed to the LOCALE_KEY attribute (NVD).

The vulnerability could potentially expose systems to path traversal attacks and Server-Side Request Forgery (SSRF) or XML External Entity (XXE) attacks when user-controlled data is passed to the LOCALE_KEY attribute. This is particularly concerning as this pattern was commonly used for setting language in the 'tiles-test' application shipped with Tiles (NVD).

Since this vulnerability affects unsupported versions of Apache Tiles, no official patches are available. Users are advised to upgrade to supported versions of the software or implement alternative solutions (NVD).