Search criteria
54 vulnerabilities found for wicket by apache
FKIE_CVE-2024-53299
Vulnerability from fkie_nvd - Published: 2025-01-23 09:15 - Updated: 2025-06-27 19:41
Severity ?
Summary
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/01/22/12 | Mailing List, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "89F22F1D-1719-4BA0-AF01-4991D7C51BB4",
"versionEndIncluding": "7.18.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E82E304-3D91-42D1-BA33-67D3C506F817",
"versionEndIncluding": "8.16.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1930820D-7167-480E-B2ED-7B54BFA139CF",
"versionEndExcluding": "9.19.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FEF67075-6C48-4C2E-BDAC-ED904916ABF8",
"versionEndExcluding": "10.3.0",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\nUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
},
{
"lang": "es",
"value": "La gesti\u00f3n de solicitudes en el n\u00facleo de Apache Wicket 7.0.0 en cualquier plataforma permite a un atacante crear un ataque de denegaci\u00f3n de servicio (DOS) mediante m\u00faltiples solicitudes a los recursos del servidor. Se recomienda a los usuarios actualizar a las versiones 9.19.0 o 10.3.0, que solucionan este problema."
}
],
"id": "CVE-2024-53299",
"lastModified": "2025-06-27T19:41:44.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-01-23T09:15:07.033",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/01/22/12"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-36522
Vulnerability from fkie_nvd - Published: 2024-07-12 13:15 - Updated: 2025-07-10 17:53
Severity ?
Summary
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/07/12/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/07/12/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DEED7F9D-5919-4A11-9086-100C03EDE51C",
"versionEndExcluding": "8.16.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4FCE2526-59E6-4E84-9CE2-CDADBE20FFAD",
"versionEndExcluding": "9.18.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9365B852-58AE-46B0-8EA5-41AB42E3BC40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "AFEF17BD-48F1-4CAF-A195-45EE63001E12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.\nUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
},
{
"lang": "es",
"value": "La configuraci\u00f3n predeterminada de XSLTResourceStream.java es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo mediante inyecci\u00f3n XSLT cuando se procesa entrada de una fuente que no es de confianza sin validaci\u00f3n. Se recomienda a los usuarios actualizar a las versiones 10.1.0, 9.18.0 u 8.16.0, que solucionan este problema."
}
],
"id": "CVE-2024-36522",
"lastModified": "2025-07-10T17:53:04.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-07-12T13:15:11.867",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-27439
Vulnerability from fkie_nvd - Published: 2024-03-19 11:15 - Updated: 2025-06-27 14:43
Severity ?
Summary
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2024/03/19/2 | Mailing List | |
| security@apache.org | https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2024/03/19/2 | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26BA1B22-867F-4638-B682-97D916E23EF6",
"versionEndExcluding": "9.17.0",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "9365B852-58AE-46B0-8EA5-41AB42E3BC40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "AFEF17BD-48F1-4CAF-A195-45EE63001E12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."
},
{
"lang": "es",
"value": "Un error en la evaluaci\u00f3n de los encabezados de metadatos de recuperaci\u00f3n podr\u00eda permitir eludir la protecci\u00f3n CSRF en Apache Wicket. Este problema afecta a Apache Wicket: desde 9.1.0 hasta 9.16.0 y los lanzamientos importantes para la serie 10.0. Apache Wicket 8.x no admite la protecci\u00f3n CSRF a trav\u00e9s de los encabezados de metadatos de recuperaci\u00f3n y, como tal, no se ve afectado. Se recomienda a los usuarios actualizar a la versi\u00f3n 9.17.0 o 10.0.0, que soluciona el problema."
}
],
"id": "CVE-2024-27439",
"lastModified": "2025-06-27T14:43:53.587",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-19T11:15:06.537",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
},
{
"lang": "en",
"value": "CWE-444"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-23937
Vulnerability from fkie_nvd - Published: 2021-05-25 17:15 - Updated: 2024-11-21 05:52
Severity ?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D5643CD-3063-4900-9EB7-86470C8C1384",
"versionEndIncluding": "6.2.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7793CFFA-F876-4DD4-8E2F-C34FBB79FC47",
"versionEndIncluding": "7.17.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02FE0D40-F64F-4EDA-B650-9AB6A13F5190",
"versionEndIncluding": "8.11.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4009313-BE49-4B49-A890-59FDE9D9E0C1",
"versionEndIncluding": "9.2.0",
"versionStartIncluding": "9.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
},
{
"lang": "es",
"value": "Un proxy DNS y una posible vulnerabilidad de ataque de amplificaci\u00f3n en WebClientInfo de Apache Wicket permiten que un atacante active b\u00fasquedas de DNS arbitrarias desde el servidor cuando el encabezado X-Fordered-For no se sanea correctamente.\u0026#xa0;Esta b\u00fasqueda de DNS puede ser dise\u00f1ada para sobrecargar un servidor DNS interno o para ralentizar el procesamiento de peticiones de la aplicaci\u00f3n Apache Wicket, lo que provoca una posible Denegaci\u00f3n de Servicio en la infraestructura interna o en la propia aplicaci\u00f3n web.\u0026#xa0;Este problema afecta a Apache Wicket Apache Wicket 9.x versiones 9.2.0 y anteriores;\u0026#xa0;Apache Wicket 8.x versiones 8.11.0 y anteriores;\u0026#xa0;Apache Wicket 7.x versiones 7.17.0 y anteriores y Apache Wicket 6.x versiones 6.2.0 y posteriores"
}
],
"id": "CVE-2021-23937",
"lastModified": "2024-11-21T05:52:05.323",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-25T17:15:08.187",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-11976
Vulnerability from fkie_nvd - Published: 2020-08-11 19:15 - Updated: 2024-11-21 04:59
Severity ?
Summary
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:fortress:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D1E8415A-630F-49E7-884B-7709152FCC1A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78B9CFEA-EB05-4194-AD11-E9FE027E8672",
"versionEndExcluding": "7.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "433CC8EE-1FF6-4775-8BB3-C2856D0D6C84",
"versionEndExcluding": "8.9.0",
"versionStartIncluding": "8.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "0AF306D2-9108-49E8-993F-41D3727A0928",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "A5FEF5B5-EF69-4BD4-BACD-48B2997F1C31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "A6150044-BE40-41C8-AE2A-4467FB112979",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "1FC13E6E-5635-4A6F-809D-FF6E82105D25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:9.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "CEEA9DE0-E0C9-4840-9928-A079136324F0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
},
{
"lang": "es",
"value": "Al crear una URL especial, es posible hacer que Wicket entregue plantillas HTML no procesadas. Esto permitir\u00eda a un atacante visualizar informaci\u00f3n posiblemente confidencial dentro de una plantilla HTML que es com\u00fanmente eliminada durante la renderizaci\u00f3n. Est\u00e1n afectadas las versiones 7.16.0, 8.8.0 y 9.0.0-M5 de Apache Wicket"
}
],
"id": "CVE-2020-11976",
"lastModified": "2024-11-21T04:59:01.770",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-11T19:15:17.220",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Release Notes",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2012-5636
Vulnerability from fkie_nvd - Published: 2017-10-30 19:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://www.securityfocus.com/bid/101644 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/101644 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | 1.4.0 | |
| apache | wicket | 1.4.1 | |
| apache | wicket | 1.4.2 | |
| apache | wicket | 1.4.3 | |
| apache | wicket | 1.4.4 | |
| apache | wicket | 1.4.5 | |
| apache | wicket | 1.4.6 | |
| apache | wicket | 1.4.7 | |
| apache | wicket | 1.4.8 | |
| apache | wicket | 1.4.9 | |
| apache | wicket | 1.4.10 | |
| apache | wicket | 1.4.11 | |
| apache | wicket | 1.4.12 | |
| apache | wicket | 1.4.13 | |
| apache | wicket | 1.4.14 | |
| apache | wicket | 1.4.15 | |
| apache | wicket | 1.4.16 | |
| apache | wicket | 1.4.17 | |
| apache | wicket | 1.4.18 | |
| apache | wicket | 1.4.19 | |
| apache | wicket | 1.4.20 | |
| apache | wicket | 1.4.21 | |
| apache | wicket | 1.5.0 | |
| apache | wicket | 1.5.1 | |
| apache | wicket | 1.5.2 | |
| apache | wicket | 1.5.3 | |
| apache | wicket | 1.5.4 | |
| apache | wicket | 1.5.5 | |
| apache | wicket | 1.5.6 | |
| apache | wicket | 1.5.7 | |
| apache | wicket | 1.5.8 | |
| apache | wicket | 1.5.9 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.1.0 | |
| apache | wicket | 6.1.1 | |
| apache | wicket | 6.2.0 | |
| apache | wicket | 6.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC8D24C-2501-4FA6-BAB9-F51D6CACEFC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "22992CF6-6E59-47CD-ACA6-87EEB0E48FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1676E4E8-B7C4-4107-A8BF-D70F14B7230C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3606F125-B3D9-4347-965F-AE632D861543",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "03D21845-F146-4DDD-B4AD-C2A587652BB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "31022C02-15EE-4BF9-A224-F3B0073E0AF8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D474779B-A497-402A-96FA-372DE208C2CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6169BE6B-AF63-4DDC-8EBF-06DB55A3E9C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AFDECA-4622-4517-A105-3CC5A28E8E59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5633A8F1-3293-46A9-85CF-132DF43FA2EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "2E0C154E-D85F-4D98-BC14-378DDEBEDE63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "E2363D36-C48D-47E4-8870-81FE4204511E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "504D3DC9-DDF2-4162-AA55-947FF510392F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "E8F77C3A-2FF3-4F2D-B399-6969DB900364",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4145A4C-D783-426A-A59A-812C50E44DCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "DF61708E-E966-4C82-AEF8-CF2E08F69D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "0D2E15E2-56F3-4B41-B8CB-97A196C201FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.17:*:*:*:*:*:*:*",
"matchCriteriaId": "0E8962F1-2107-455D-8197-AE08B4097B72",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.18:*:*:*:*:*:*:*",
"matchCriteriaId": "395C7BE2-EE16-4659-9E18-4A6F348D2428",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.19:*:*:*:*:*:*:*",
"matchCriteriaId": "A08BD56A-1033-452E-929A-A922277963BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.20:*:*:*:*:*:*:*",
"matchCriteriaId": "A7663A85-1338-4DB4-87EE-527EE303381B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.4.21:*:*:*:*:*:*:*",
"matchCriteriaId": "03FFA363-D9C0-4806-9DA9-2110CD10A5A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9A5F0F32-F5EF-4E9B-B832-115CC041BC6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24AD7290-714C-48DB-88AF-EB83CEB7E879",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D2FF7823-F324-4428-A047-7A7B3C89E25A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16816B8B-6E66-4F42-886C-FC44FC6108CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "46B33A86-0253-47E3-BC27-1AED5B8B3003",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7B46EBE4-D1C9-43FB-A9AD-249AD01BC38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "98375403-4DF9-43B4-8601-7932EBE40526",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "BBBAA82C-F304-4488-97C2-B8C357465B2F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "FDEBB9A4-38B8-4B67-9F0D-D28796B88009",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "FBC9D7ED-9785-40C2-B3C8-141FD2CE3C26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8C2287A-F526-44C4-AD1D-0BE7857C1FC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF725E92-BAB8-4A0D-925B-AD4F6065E1D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C61C7A6-3233-4710-92B6-46562AF18479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "330AA15C-8A05-4302-AD8A-54DE6015642F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18F7EBAA-BE71-43C6-8F28-B23511B88402",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en Apache Wicket en versiones 1.4.x anteriores a la 1.4.22, versiones 1.5.x anteriores a la 1.5.10 y las versiones 6.x anteriores a la 6.4.0 podr\u00eda permitir que atacantes remotos inyecten scripts web o HTML arbitrarios mediante vectores relacionados con las etiquetas"
}
],
"id": "CVE-2012-5636",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-30T19:29:00.247",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101644"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/101644"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-3526
Vulnerability from fkie_nvd - Published: 2017-10-30 14:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | wicket | * | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.0.0 | |
| apache | wicket | 6.1.0 | |
| apache | wicket | 6.1.1 | |
| apache | wicket | 6.2.0 | |
| apache | wicket | 6.3.0 | |
| apache | wicket | 6.4.0 | |
| apache | wicket | 6.5.0 | |
| apache | wicket | 6.6.0 | |
| apache | wicket | 6.7.0 | |
| apache | wicket | 6.8.0 | |
| apache | wicket | 6.9.0 | |
| apache | wicket | 6.9.1 | |
| apache | wicket | 6.10.0 | |
| apache | wicket | 6.11.0 | |
| apache | wicket | 6.12.0 | |
| apache | wicket | 6.13.0 | |
| apache | wicket | 6.14.0 | |
| apache | wicket | 6.15.0 | |
| apache | wicket | 6.16.0 | |
| apache | wicket | 7.0.0 | |
| apache | wicket | 7.0.0 | |
| apache | wicket | 7.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DD671FB-9967-4ADA-8152-10DEA64F8BB7",
"versionEndExcluding": "1.5.12",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8C2287A-F526-44C4-AD1D-0BE7857C1FC6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "BC22417A-E4B0-4512-8D96-210782855FFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "C594BC43-D6BE-41A8-A307-0166C3DE71A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "8F160D55-152E-4CA4-A506-E91079D94D10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF725E92-BAB8-4A0D-925B-AD4F6065E1D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C61C7A6-3233-4710-92B6-46562AF18479",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "330AA15C-8A05-4302-AD8A-54DE6015642F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18F7EBAA-BE71-43C6-8F28-B23511B88402",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A9D513BF-CC50-4F96-8926-55081BF98EDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4DCDA2F5-3C16-4093-81BD-EAB43A804419",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE30441-B145-4860-AD95-DF20AB4D8DFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "710697FA-A859-4E66-B3A2-5A03AB21B1D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7C5A33E3-166A-41CE-8542-7AEEEC8DB42D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "94072681-D452-4068-813E-191F3306FDEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6B821243-5C36-4B54-8180-C88740B2D58F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "83F52DED-EC06-42F9-B851-7E99B0D74851",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "74E55244-D41E-48CB-BF65-67F5FE17A703",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7EFD25C8-EBEA-40D0-8D38-23770EA010AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51C6F793-FC42-4189-ACB7-E4CC5BEFA7B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3EF63DDD-3909-495D-A7CF-514A19ED04DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.15.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F7396595-B40E-41CB-AAD8-6777A3FF5938",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.16.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4BB87904-83A0-42B6-A3B1-57F8A91847A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "455D1DE8-2794-458C-AEBB-C957701E511D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "AADF9D31-21F8-45AD-8B85-86244D4529F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "B6A90E52-0EF7-4C84-814F-9D6EE832C535",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
},
{
"lang": "es",
"value": "Apache Wicket en versiones anteriores a la 1.5.12, las versiones 6.x anteriores a la 6.17.0 y las versiones 7.x anteriores a la 7.0.0-M3 podr\u00eda permitir que atacantes remotos obtengan informaci\u00f3n sensible mediante vectores relacionados con identificadores para almacenar etiquetas de p\u00e1gina para sesiones de usuario temporales."
}
],
"id": "CVE-2014-3526",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-30T14:29:00.500",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-6806
Vulnerability from fkie_nvd - Published: 2017-10-03 01:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CE39FD3D-CDA9-4D99-A366-B2EA4BACBEA5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:*",
"matchCriteriaId": "682D2CA1-2C60-435B-88A3-CF9FA0CD849F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D5A062A9-19FA-4C57-86EC-A947CF3694E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A4D4168A-48E4-4BEC-B005-6053C9DDD0AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E71E4459-6B11-4D2C-99C5-2D9242051CED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "455D1DE8-2794-458C-AEBB-C957701E511D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EDBFF2B-1533-4C08-A0E1-48DB06BAB2F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B154816C-F671-4825-9D6C-CCA175FE5890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5D304ABE-C7DB-4B2A-A33F-BC3AA39E4B3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "65E36EB8-C386-43CC-BCBE-9CEB34FC99A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:8.0.0:m1:*:*:*:*:*:*",
"matchCriteriaId": "2C1FA122-ED49-40B7-93E5-06ADDFBAA84D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
},
{
"lang": "es",
"value": "Apache Wicket en versiones 6.x anteriores a la 6.25.0, versiones 7.x anteriores a la 7.50 y en la versi\u00f3n 8.0.0-M1 proporciona una medida de prevenci\u00f3n de Cross-Site Request Forgery (CSRF) que no descubre determinadas peticiones de or\u00edgenes cruzados. La mitigaci\u00f3n no solo consiste en comprobar la cabecera HTTP Origin, sino que tambi\u00e9n tiene en cuenta la cabecera HTTP Referer cuando no se proporciona ninguna cabecera Origin. Adem\u00e1s, no todos los destinos del lado del servidor de Wicket se someten a chequeos de Cross-Site Request Forgery (CSRF). Esto tambi\u00e9n se ha solucionado."
}
],
"id": "CVE-2016-6806",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.967",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-0043
Vulnerability from fkie_nvd - Published: 2017-10-03 01:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:1.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "E58A9F81-EB16-4DAA-955F-149229B3E1B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51C6F793-FC42-4189-ACB7-E4CC5BEFA7B2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
},
{
"lang": "es",
"value": "En Apache Wicket 1 5 10 o 6 13 0, al enviar peticiones a URL especiales manejadas por Wicket, es posible comprobar la existencia de clases espec\u00edficas en el classpath y por lo tanto se puede comprobar si hay alguna librer\u00eda externa con alguna vulnerabilida d conocida en uso"
}
],
"id": "CVE-2014-0043",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:00.327",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-7808
Vulnerability from fkie_nvd - Published: 2017-09-15 20:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AE2A0CF-ADE9-4708-B3E8-2FD5DC7E5FF5",
"versionEndExcluding": "1.5.13",
"versionStartIncluding": "1.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F935C3AF-B4F6-48BA-879F-C916CA6C2D0E",
"versionEndExcluding": "6.19.0",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "AADF9D31-21F8-45AD-8B85-86244D4529F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "B6A90E52-0EF7-4C84-814F-9D6EE832C535",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "4BC0D445-E39E-472B-8CB9-F363517064CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "F973CD8F-987E-4772-BF35-90076F403796",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:wicket:7.0.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "ED3DF7AF-FA68-4DEF-B098-B96510E9ED06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
},
{
"lang": "es",
"value": "Apache Wicket en versiones anteriores a la 1.5.13, 6.x anteriores a la 6.19.0 y 7.x anteriores a la 7.0.0-M5 facilita que los atacantes superen el mecanismo de protecci\u00f3n criptogr\u00e1fica y predigan URL cifradas aprovechando el uso de CryptoMapper como proveedor por defecto de cifrado."
}
],
"id": "CVE-2014-7808",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-09-15T20:29:00.193",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-53299 (GCVE-0-2024-53299)
Vulnerability from cvelistv5 – Published: 2025-01-23 08:37 – Updated: 2025-02-04 18:52
VLAI?
Summary
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
7.0.0 , ≤ 7.18.*
(semver)
Affected: 8.0.0-M1 , ≤ 8.16.* (semver) Affected: 9.0.0-M1 , ≤ 9.18.* (semver) Affected: 10.0.0-M1 , ≤ 10.2.* (semver) |
Credits
Pedro Santos
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-23T18:03:26.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/22/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:52:21.123757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:52:25.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "7.18.*",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.*",
"status": "affected",
"version": "8.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.18.*",
"status": "affected",
"version": "9.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.2.*",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Santos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\u003cbr\u003eUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\nUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T08:37:05.687Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: An attacker can intentionally trigger a memory leak",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-53299",
"datePublished": "2025-01-23T08:37:05.687Z",
"dateReserved": "2024-11-20T13:50:04.810Z",
"dateUpdated": "2025-02-04T18:52:25.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36522 (GCVE-0-2024-36522)
Vulnerability from cvelistv5 – Published: 2024-07-12 12:13 – Updated: 2025-02-13 17:52
VLAI?
Summary
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
10.0.0-M1 , ≤ 10.0.0
(semver)
Affected: 9.0.0 , ≤ 9.17.0 (semver) Affected: 8.0.0 , ≤ 8.15.0 (semver) |
Credits
cigar
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:wicket:10.0.0-m1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:9.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wicket",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-m1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T17:04:58.271448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:17:44.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.wicket:wicket-util",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cigar"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprocessing input from an untrusted source without validation\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.\nUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T12:15:06.742Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Remote code execution via XSLT injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-36522",
"datePublished": "2024-07-12T12:13:51.884Z",
"dateReserved": "2024-05-30T12:02:13.706Z",
"dateUpdated": "2025-02-13T17:52:57.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27439 (GCVE-0-2024-27439)
Vulnerability from cvelistv5 – Published: 2024-03-19 11:07 – Updated: 2025-02-13 17:46
VLAI?
Summary
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
9.1.0 , ≤ 9.16.0
(semver)
Affected: 10.0.0-M1 , < 10.0.0 (semver) |
Credits
Jo Theunis
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T14:09:05.246765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:15:21.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.16.0",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo Theunis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\u003cbr\u003eApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:08:47.285Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Possible bypass of CSRF protection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27439",
"datePublished": "2024-03-19T11:07:47.648Z",
"dateReserved": "2024-02-25T20:15:40.414Z",
"dateUpdated": "2025-02-13T17:46:30.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23937 (GCVE-0-2021-23937)
Vulnerability from cvelistv5 – Published: 2021-05-25 08:05 – Updated: 2024-08-03 19:14
VLAI?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
Severity ?
No CVSS data available.
CWE
- DNS proxy and possible amplification attack
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
Apache Wicket 9.x , ≤ 9.2.0
(custom)
Affected: Apache Wicket 8.x , ≤ 8.11.0 (custom) Affected: Apache Wicket 7.x , ≤ 7.17.0 (custom) Affected: 6.2.0 , < Apache Wicket 6.x* (custom) |
Credits
Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "Apache Wicket 9.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.11.0",
"status": "affected",
"version": "Apache Wicket 8.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.17.0",
"status": "affected",
"version": "Apache Wicket 7.x",
"versionType": "custom"
},
{
"lessThan": "Apache Wicket 6.x*",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DNS proxy and possible amplification attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T16:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DNS proxy and possible amplification attack",
"workarounds": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-23937",
"STATE": "PUBLIC",
"TITLE": "DNS proxy and possible amplification attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 9.x",
"version_value": "9.2.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 8.x",
"version_value": "8.11.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 7.x",
"version_value": "7.17.0"
},
{
"version_affected": "\u003e=",
"version_name": "Apache Wicket 6.x",
"version_value": "6.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DNS proxy and possible amplification attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-23937",
"datePublished": "2021-05-25T08:05:10",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:14:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11976 (GCVE-0-2020-11976)
Vulnerability from cvelistv5 – Published: 2020-08-11 18:15 – Updated: 2024-08-04 11:48
VLAI?
Summary
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Wicket |
Affected:
Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-26T16:06:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11976",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7@%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923@%3Cdev.directory.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11976",
"datePublished": "2020-08-11T18:15:51",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5636 (GCVE-0-2012-5636)
Vulnerability from cvelistv5 – Published: 2017-10-30 19:00 – Updated: 2024-08-06 21:14
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-03T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5636",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101644"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5636",
"datePublished": "2017-10-30T19:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:16.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3526 (GCVE-0-2014-3526)
Vulnerability from cvelistv5 – Published: 2017-10-30 14:00 – Updated: 2024-08-06 10:50
VLAI?
Summary
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:50:16.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-30T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-3526",
"datePublished": "2017-10-30T14:00:00",
"dateReserved": "2014-05-14T00:00:00",
"dateUpdated": "2024-08-06T10:50:16.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6806 (GCVE-0-2016-6806)
Vulnerability from cvelistv5 – Published: 2017-10-02 13:00 – Updated: 2024-09-16 20:57
VLAI?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
Severity ?
No CVSS data available.
CWE
- CSRF check fails
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
6.20.0
Affected: 6.21.0 Affected: 6.22.0 Affected: 6.23.0 Affected: 6.24.0 Affected: 7.0.0 Affected: 7.1.0 Affected: 7.2.0 Affected: 7.3.0 Affected: 7.4.0 Affected: 8.0.0-M1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "6.20.0"
},
{
"status": "affected",
"version": "6.21.0"
},
{
"status": "affected",
"version": "6.22.0"
},
{
"status": "affected",
"version": "6.23.0"
},
{
"status": "affected",
"version": "6.24.0"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
},
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.3.0"
},
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "8.0.0-M1"
}
]
}
],
"datePublic": "2016-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF check fails",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-08T00:00:00",
"ID": "CVE-2016-6806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "6.20.0"
},
{
"version_value": "6.21.0"
},
{
"version_value": "6.22.0"
},
{
"version_value": "6.23.0"
},
{
"version_value": "6.24.0"
},
{
"version_value": "7.0.0"
},
{
"version_value": "7.1.0"
},
{
"version_value": "7.2.0"
},
{
"version_value": "7.3.0"
},
{
"version_value": "7.4.0"
},
{
"version_value": "8.0.0-M1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF check fails"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6806",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-16T20:57:22.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0043 (GCVE-0-2014-0043)
Vulnerability from cvelistv5 – Published: 2017-10-02 13:00 – Updated: 2024-09-16 19:56
VLAI?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
1.5.10
Affected: 6.13.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.5.10"
},
{
"status": "affected",
"version": "6.13.0"
}
]
}
],
"datePublic": "2014-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2014-02-21T00:00:00",
"ID": "CVE-2014-0043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "1.5.10"
},
{
"version_value": "6.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d@1392986987@%3Cannounce.wicket.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2014-0043",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-09-16T19:56:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-7808 (GCVE-0-2014-7808)
Vulnerability from cvelistv5 – Published: 2017-09-15 20:00 – Updated: 2024-08-06 13:03
VLAI?
Summary
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:03:27.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw@mail.gmail.com%3E"
},
{
"name": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html",
"refsource": "MISC",
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-7808",
"datePublished": "2017-09-15T20:00:00",
"dateReserved": "2014-10-03T00:00:00",
"dateUpdated": "2024-08-06T13:03:27.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53299 (GCVE-0-2024-53299)
Vulnerability from nvd – Published: 2025-01-23 08:37 – Updated: 2025-02-04 18:52
VLAI?
Summary
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
7.0.0 , ≤ 7.18.*
(semver)
Affected: 8.0.0-M1 , ≤ 8.16.* (semver) Affected: 9.0.0-M1 , ≤ 9.18.* (semver) Affected: 10.0.0-M1 , ≤ 10.2.* (semver) |
Credits
Pedro Santos
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-23T18:03:26.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/22/12"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T18:52:21.123757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T18:52:25.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "7.18.*",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.16.*",
"status": "affected",
"version": "8.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.18.*",
"status": "affected",
"version": "9.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.2.*",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Santos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\u003cbr\u003eUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"value": "The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.\nUsers are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T08:37:05.687Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/gyp2ht00c62827y0379lxh5dbx3hhho5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: An attacker can intentionally trigger a memory leak",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-53299",
"datePublished": "2025-01-23T08:37:05.687Z",
"dateReserved": "2024-11-20T13:50:04.810Z",
"dateUpdated": "2025-02-04T18:52:25.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36522 (GCVE-0-2024-36522)
Vulnerability from nvd – Published: 2024-07-12 12:13 – Updated: 2025-02-13 17:52
VLAI?
Summary
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
Severity ?
No CVSS data available.
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
10.0.0-M1 , ≤ 10.0.0
(semver)
Affected: 9.0.0 , ≤ 9.17.0 (semver) Affected: 8.0.0 , ≤ 8.15.0 (semver) |
Credits
cigar
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:wicket:10.0.0-m1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:8.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:wicket:9.0.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wicket",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-m1",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-36522",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T17:04:58.271448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T17:17:44.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.178Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.wicket:wicket-util",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.17.0",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.15.0",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cigar"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprocessing input from an untrusted source without validation\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"value": "The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.\nUsers are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-12T12:15:06.742Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/07/12/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Remote code execution via XSLT injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-36522",
"datePublished": "2024-07-12T12:13:51.884Z",
"dateReserved": "2024-05-30T12:02:13.706Z",
"dateUpdated": "2025-02-13T17:52:57.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27439 (GCVE-0-2024-27439)
Vulnerability from nvd – Published: 2024-03-19 11:07 – Updated: 2025-02-13 17:46
VLAI?
Summary
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
9.1.0 , ≤ 9.16.0
(semver)
Affected: 10.0.0-M1 , < 10.0.0 (semver) |
Credits
Jo Theunis
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:34:52.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-27439",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-22T14:09:05.246765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T20:15:21.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.16.0",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "10.0.0",
"status": "affected",
"version": "10.0.0-M1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo Theunis"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\u003cbr\u003eApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-444",
"description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T18:08:47.285Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Wicket: Possible bypass of CSRF protection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-27439",
"datePublished": "2024-03-19T11:07:47.648Z",
"dateReserved": "2024-02-25T20:15:40.414Z",
"dateUpdated": "2025-02-13T17:46:30.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-23937 (GCVE-0-2021-23937)
Vulnerability from nvd – Published: 2021-05-25 08:05 – Updated: 2024-08-03 19:14
VLAI?
Summary
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
Severity ?
No CVSS data available.
CWE
- DNS proxy and possible amplification attack
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
Apache Wicket 9.x , ≤ 9.2.0
(custom)
Affected: Apache Wicket 8.x , ≤ 8.11.0 (custom) Affected: Apache Wicket 7.x , ≤ 7.17.0 (custom) Affected: 6.2.0 , < Apache Wicket 6.x* (custom) |
Credits
Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:14:09.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "9.2.0",
"status": "affected",
"version": "Apache Wicket 9.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "8.11.0",
"status": "affected",
"version": "Apache Wicket 8.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "7.17.0",
"status": "affected",
"version": "Apache Wicket 7.x",
"versionType": "custom"
},
{
"lessThan": "Apache Wicket 6.x*",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"descriptions": [
{
"lang": "en",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "DNS proxy and possible amplification attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-26T16:06:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "DNS proxy and possible amplification attack",
"workarounds": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-23937",
"STATE": "PUBLIC",
"TITLE": "DNS proxy and possible amplification attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 9.x",
"version_value": "9.2.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 8.x",
"version_value": "8.11.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Wicket 7.x",
"version_value": "7.17.0"
},
{
"version_affected": "\u003e=",
"version_name": "Apache Wicket 6.x",
"version_value": "6.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Wicket would like to thank Jonathan Juursema from Topicus.Healthcare for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "DNS proxy and possible amplification attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-announce] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E"
},
{
"name": "[wicket-users] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E"
},
{
"name": "[wicket-dev] 20210526 Re: CVE-2021-23937: Apache Wicket: DNS proxy and possible amplification attack",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Sanitize the X-Forwarded-For header by running an Apache Wicket application behind a reverse HTTP proxy. This proxy should put the client IP address in the X-Forwarded-For header and not pass through the contents of the header as received by the client."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-23937",
"datePublished": "2021-05-25T08:05:10",
"dateReserved": "2021-01-13T00:00:00",
"dateUpdated": "2024-08-03T19:14:09.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-11976 (GCVE-0-2020-11976)
Vulnerability from nvd – Published: 2020-08-11 18:15 – Updated: 2024-08-04 11:48
VLAI?
Summary
By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Apache Wicket |
Affected:
Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:57.562Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-26T16:06:17",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7%40%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff%40%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923%40%3Cdev.directory.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-11976",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "Apache Wicket 7.16.0, 8.8.0, 9.0.0-M5"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E"
},
{
"name": "[directory-commits] 20210513 [directory-fortress-commander] branch master updated: FC-293 - CVE-2020-11976 - upgrade wicket core -\u003e 8.9.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0f36b83cc9f28b016ec552f023fb5a59a9ea8db56f2b9dcc6a2f6b7@%3Ccommits.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210513 [jira] [Created] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r982c626dbce5c995223c4a6ddd7685de3592f8d65ba8372da1f3ce19@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210514 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r05340178680eb6b9d4d40d56b5621dd4ae9715e6f41f12ae2288ec49@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Updated] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/reb7ea8141c713b5b19eaf34c00f43aaebf5a1c116130f763c42bdad1@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Resolved] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd26cae6e30b205e09e4b511d3d962d4f677c0c604f737997ce1b2f22@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Closed] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdec0a43afdca59c10416889e07267f3d2fdf4ab929a6e22a2659b6ff@%3Cdev.directory.apache.org%3E"
},
{
"name": "[directory-dev] 20210626 [jira] [Reopened] (FC-293) [fortress-web] CVE-2020-11976",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re4af65851bf69605cfb68be215eba36d4cdc1a90b95fbc894799d923@%3Cdev.directory.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-11976",
"datePublished": "2020-08-11T18:15:51",
"dateReserved": "2020-04-21T00:00:00",
"dateUpdated": "2024-08-04T11:48:57.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5636 (GCVE-0-2012-5636)
Vulnerability from nvd – Published: 2017-10-30 19:00 – Updated: 2024-08-06 21:14
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to <script> tags in a rendered response.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-03T09:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/101644"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5636",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before 1.4.22, 1.5.x before 1.5.10, and 6.x before 6.4.0 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \u003cscript\u003e tags in a rendered response."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2013/03/03/cve-2012-5636.html"
},
{
"name": "101644",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/101644"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5636",
"datePublished": "2017-10-30T19:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:14:16.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3526 (GCVE-0-2014-3526)
Vulnerability from nvd – Published: 2017-10-30 14:00 – Updated: 2024-08-06 10:50
VLAI?
Summary
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:50:16.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-30T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-3526",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html",
"refsource": "CONFIRM",
"url": "https://wicket.apache.org/news/2014/09/22/cve-2014-3526.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-3526",
"datePublished": "2017-10-30T14:00:00",
"dateReserved": "2014-05-14T00:00:00",
"dateUpdated": "2024-08-06T10:50:16.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6806 (GCVE-0-2016-6806)
Vulnerability from nvd – Published: 2017-10-02 13:00 – Updated: 2024-09-16 20:57
VLAI?
Summary
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.
Severity ?
No CVSS data available.
CWE
- CSRF check fails
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
6.20.0
Affected: 6.21.0 Affected: 6.22.0 Affected: 6.23.0 Affected: 6.24.0 Affected: 7.0.0 Affected: 7.1.0 Affected: 7.2.0 Affected: 7.3.0 Affected: 7.4.0 Affected: 8.0.0-M1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "6.20.0"
},
{
"status": "affected",
"version": "6.21.0"
},
{
"status": "affected",
"version": "6.22.0"
},
{
"status": "affected",
"version": "6.23.0"
},
{
"status": "affected",
"version": "6.24.0"
},
{
"status": "affected",
"version": "7.0.0"
},
{
"status": "affected",
"version": "7.1.0"
},
{
"status": "affected",
"version": "7.2.0"
},
{
"status": "affected",
"version": "7.3.0"
},
{
"status": "affected",
"version": "7.4.0"
},
{
"status": "affected",
"version": "8.0.0-M1"
}
]
}
],
"datePublic": "2016-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF check fails",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2016-11-08T00:00:00",
"ID": "CVE-2016-6806",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "6.20.0"
},
{
"version_value": "6.21.0"
},
{
"version_value": "6.22.0"
},
{
"version_value": "6.23.0"
},
{
"version_value": "6.24.0"
},
{
"version_value": "7.0.0"
},
{
"version_value": "7.1.0"
},
{
"version_value": "7.2.0"
},
{
"version_value": "7.3.0"
},
{
"version_value": "7.4.0"
},
{
"version_value": "8.0.0-M1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF check fails"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-6806",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-16T20:57:22.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0043 (GCVE-0-2014-0043)
Vulnerability from nvd – Published: 2017-10-02 13:00 – Updated: 2024-09-16 19:56
VLAI?
Summary
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Severity ?
No CVSS data available.
CWE
- Information Disclosure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Wicket |
Affected:
1.5.10
Affected: 6.13.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:58:26.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Wicket",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.5.10"
},
{
"status": "affected",
"version": "6.13.0"
}
]
}
],
"datePublic": "2014-02-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T12:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2014-02-21T00:00:00",
"ID": "CVE-2014-0043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Wicket",
"version": {
"version_data": [
{
"version_value": "1.5.10"
},
{
"version_value": "6.13.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Information Disclosure"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-announce] 20140221 CVE-2014-0043",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d@1392986987@%3Cannounce.wicket.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2014-0043",
"datePublished": "2017-10-02T13:00:00Z",
"dateReserved": "2013-12-03T00:00:00",
"dateUpdated": "2024-09-16T19:56:10.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-7808 (GCVE-0-2014-7808)
Vulnerability from nvd – Published: 2017-09-15 20:00 – Updated: 2024-08-06 13:03
VLAI?
Summary
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:03:27.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-15T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-7808",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[wicket-users] 20150218 CVE-2014-7808",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw@mail.gmail.com%3E"
},
{
"name": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html",
"refsource": "MISC",
"url": "https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-7808",
"datePublished": "2017-09-15T20:00:00",
"dateReserved": "2014-10-03T00:00:00",
"dateUpdated": "2024-08-06T13:03:27.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}