Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04dnZwLTUyNWgtY3hmOc4AA6Hm
Cross-Site Request Forgery in Apache Wicket
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-8vvp-525h-cxf9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04dnZwLTUyNWgtY3hmOc4AA6Hm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 month ago
Updated: about 14 hours ago
Identifiers: GHSA-8vvp-525h-cxf9, CVE-2024-27439
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-27439
- https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo
- http://www.openwall.com/lists/oss-security/2024/03/19/2
- https://github.com/advisories/GHSA-8vvp-525h-cxf9
Affected Packages
maven:org.apache.wicket:wicket
Dependent packages: 198Dependent repositories: 1,209
Downloads:
Affected Version Ranges: >= 10.0.0-M1, < 10.0.0, >= 9.1.0, < 9.17.0
Fixed in: 10.0.0, 9.17.0
All affected versions: 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, 9.15.0, 9.16.0, 10.0.0-M1, 10.0.0-M2
All unaffected versions: 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.4.23, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.9.1, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.15.0, 6.16.0, 6.17.0, 6.18.0, 6.19.0, 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 6.25.0, 6.26.0, 6.27.0, 6.27.1, 6.28.0, 6.29.0, 6.30.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.10.0, 7.11.0, 7.12.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 7.17.0, 7.18.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.6.1, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 9.0.0, 9.17.0, 10.0.0