Vulnerabilites related to Apache Software Foundation - Apache Wicket
cve-2016-6806
Vulnerability from cvelistv5
Published
2017-10-02 13:00
Modified
2024-09-16 20:57
Severity ?
EPSS score ?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 6.20.0 Version: 6.21.0 Version: 6.22.0 Version: 6.23.0 Version: 6.24.0 Version: 7.0.0 Version: 7.1.0 Version: 7.2.0 Version: 7.3.0 Version: 7.4.0 Version: 8.0.0-M1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "6.20.0"
},
{
"status": "affected",
"version": "6.21.0"
},
{
"status": "affected",
"version": "6.22.0"
},
{
"status": "affected",
"version": "6.23.0"
},
{
"status": "affected",
"version": "6.24.0"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
},
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.3.0"
},
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "8.0.0-M1"
}
]
}
],
"datePublic": "2016-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF check fails",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-08T00:00:00",
"ID": "CVE-2016-6806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "6.20.0"
},
{
"version_value": "6.21.0"
},
{
"version_value": "6.22.0"
},
{
"version_value": "6.23.0"
},
{
"version_value": "6.24.0"
},
{
"version_value": "7.0.0"
},
{
"version_value": "7.1.0"
},
{
"version_value": "7.2.0"
},
{
"version_value": "7.3.0"
},
{
"version_value": "7.4.0"
},
{
"version_value": "8.0.0-M1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF check fails"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6806",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-16T20:57:22.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-53299
Vulnerability from cvelistv5
Published
2025-01-23 08:37
Modified
2025-02-04 18:52
Severity ?
EPSS score ?
Summary
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 7.0.0 ≤ 7.18.* Version: 8.0.0-M1 ≤ 8.16.* Version: 9.0.0-M1 ≤ 9.18.* Version: 10.0.0-M1 ≤ 10.2.* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-23T18:03:26.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/22/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:52:21.123757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:52:25.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "7.18.*",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.*",
"status": "affected",
"version": "8.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.18.*",
"status": "affected",
"version": "9.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.2.*",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Santos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\u003cbr\u003eUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\nUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T08:37:05.687Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: An attacker can intentionally trigger a memory leak",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-53299",
"datePublished": "2025-01-23T08:37:05.687Z",
"dateReserved": "2024-11-20T13:50:04.810Z",
"dateUpdated": "2025-02-04T18:52:25.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-27439
Vulnerability from cvelistv5
Published
2024-03-19 11:07
Modified
2025-02-13 17:46
Severity ?
EPSS score ?
Summary
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 9.1.0 ≤ 9.16.0 Version: 10.0.0-M1 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T14:09:05.246765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:15:21.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.16.0",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo Theunis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\u003cbr\u003eApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:08:47.285Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Possible bypass of CSRF protection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27439",
"datePublished": "2024-03-19T11:07:47.648Z",
"dateReserved": "2024-02-25T20:15:40.414Z",
"dateUpdated": "2025-02-13T17:46:30.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-23937
Vulnerability from cvelistv5
Published
2021-05-25 08:05
Modified
2024-08-03 19:14
Severity ?
EPSS score ?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: Apache Wicket 9.x < Version: Apache Wicket 8.x < Version: Apache Wicket 7.x < Version: 6.2.0 < Apache Wicket 6.x* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "Apache Wicket 9.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.11.0",
"status": "affected",
"version": "Apache Wicket 8.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.17.0",
"status": "affected",
"version": "Apache Wicket 7.x",
"versionType": "custom"
},
{
"lessThan": "Apache Wicket 6.x*",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DNS proxy and possible amplification attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T16:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DNS proxy and possible amplification attack",
"workarounds": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-23937",
"STATE": "PUBLIC",
"TITLE": "DNS proxy and possible amplification attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 9.x",
"version_value": "9.2.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 8.x",
"version_value": "8.11.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 7.x",
"version_value": "7.17.0"
},
{
"version_affected": "\u003e=",
"version_name": "Apache Wicket 6.x",
"version_value": "6.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DNS proxy and possible amplification attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-23937",
"datePublished": "2021-05-25T08:05:10",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:14:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-0043
Vulnerability from cvelistv5
Published
2017-10-02 13:00
Modified
2024-09-16 19:56
Severity ?
EPSS score ?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E | mailing-list, x_refsource_MLIST |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 1.5.10 Version: 6.13.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.5.10"
},
{
"status": "affected",
"version": "6.13.0"
}
]
}
],
"datePublic": "2014-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2014-02-21T00:00:00",
"ID": "CVE-2014-0043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "1.5.10"
},
{
"version_value": "6.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d@1392986987@%3Cannounce.wicket.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2014-0043",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-09-16T19:56:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-36522
Vulnerability from cvelistv5
Published
2024-07-12 12:13
Modified
2025-02-13 17:52
Severity ?
EPSS score ?
Summary
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Version: 10.0.0-M1 ≤ 10.0.0 Version: 9.0.0 ≤ 9.17.0 Version: 8.0.0 ≤ 8.15.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:wicket:10.0.0-m1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:9.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wicket",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-m1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T17:04:58.271448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:17:44.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.wicket:wicket-util",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cigar"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprocessing input from an untrusted source without validation\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.\nUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T12:15:06.742Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Remote code execution via XSLT injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-36522",
"datePublished": "2024-07-12T12:13:51.884Z",
"dateReserved": "2024-05-30T12:02:13.706Z",
"dateUpdated": "2025-02-13T17:52:57.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}