CVE-2024-27439

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-27439

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-27439.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-27439

Aliases

GHSA-8vvp-525h-cxf9

Published

2024-03-19T11:15:06Z

Modified

2025-06-27T21:21:11Z

Summary

[none]

Details

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

References

Affected packages

Git / github.com/apache/wicket

Affected ranges

Type: GIT
Repo: https://github.com/apache/wicket
Events: Introduced

661e7797b8f361debc83984c58cc21be98fedf8b

Fixed

31760ab2980c808425412db99e1b65ed232fda36