CVE-2024-27439

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-27439
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27439.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-27439
Aliases
Published
2024-03-19T11:15:06.537Z
Modified
2026-04-10T05:11:50.904806Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

References

Affected packages

Git / github.com/apache/wicket

Affected ranges

Type
GIT
Repo
https://github.com/apache/wicket
Events
Introduced
661e7797b8f361debc83984c58cc21be98fedf8b
Fixed
31760ab2980c808425412db99e1b65ed232fda36
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
4a578260ec001580042b1c8b158d96992fc18beb
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c007939df9c05fd458f1e416d0969f1ed74b0ccd
Database specific 
{
    "versions": [
        {
            "introduced": "9.1.0"
        },
        {
            "fixed": "9.17.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0.0-milestone1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0.0-milestone2"
        }
    ]
}

Affected versions

rel/wicket-10.*
rel/wicket-10.0.0-M1
rel/wicket-10.0.0-M2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27439.json"