Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY0Z3YtM3Bxdi0yOTlo

Exposure of Sensitive Information to an Unauthorized Actor in Apache Wicket

By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. Affected are Apache Wicket versions 7.16.0, 8.8.0 and 9.0.0-M5

Permalink: https://github.com/advisories/GHSA-64gv-3pqv-299h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY0Z3YtM3Bxdi0yOTlo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: over 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-64gv-3pqv-299h, CVE-2020-11976
References: Blast Radius: 24.1

Affected Packages

maven:org.apache.wicket:wicket-core
Dependent packages: 420
Dependent repositories: 1,626
Downloads:
Affected Version Ranges: = 9.0.0-M5, = 9.0.0-M4, = 9.0.0-M3, = 9.0.0-M2, = 9.0.0-M1, >= 8.0.0, < 8.9.0, < 7.17.0
Fixed in: 9.0.0, 9.0.0, 9.0.0, 9.0.0, 9.0.0, 8.9.0, 7.17.0
All affected versions: 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0, 6.9.0, 6.9.1, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.14.0, 6.15.0, 6.16.0, 6.17.0, 6.18.0, 6.19.0, 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 6.25.0, 6.26.0, 6.27.0, 6.27.1, 6.28.0, 6.29.0, 6.30.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 7.8.0, 7.9.0, 7.10.0, 7.11.0, 7.12.0, 7.13.0, 7.14.0, 7.15.0, 7.16.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.6.1, 8.7.0, 8.8.0, 9.0.0-M1, 9.0.0-M2, 9.0.0-M3, 9.0.0-M4, 9.0.0-M5
All unaffected versions: 7.17.0, 7.18.0, 8.9.0, 8.10.0, 8.11.0, 8.12.0, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.6.0, 9.7.0, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.12.0, 9.13.0, 9.14.0, 9.15.0, 9.16.0, 9.17.0, 9.18.0, 10.0.0, 10.1.0