CVE-2024-36522

Source
https://cve.org/CVERecord?id=CVE-2024-36522
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36522.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-36522
Aliases
Published
2024-07-12T12:13:51.884Z
Modified
2026-07-15T02:11:47.887629288Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Wicket: Remote code execution via XSLT injection
Details

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Database specific
{
    "cwe_ids": [
        "CWE-74"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36522.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "10.0.0-M1"
                },
                {
                    "last_affected": "10.0.0"
                },
                {
                    "introduced": "9.0.0"
                },
                {
                    "last_affected": "9.17.0"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.15.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/wicket

Affected ranges

Type
GIT
Repo
https://github.com/apache/wicket
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*",
        "cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.16.0"
        },
        {
            "introduced": "9.0.0"
        },
        {
            "fixed": "9.18.0"
        },
        {
            "introduced": "10.0.0-milestone1"
        },
        {
            "last_affected": "10.0.0-milestone1"
        },
        {
            "introduced": "10.0.0-milestone2"
        },
        {
            "last_affected": "10.0.0-milestone2"
        }
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ]
}

Affected versions

10.*
10.0.0-milestone1
10.0.0-milestone2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36522.json"