GHSA-8vvp-525h-cxf9

Source

https://github.com/advisories/GHSA-8vvp-525h-cxf9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8vvp-525h-cxf9/GHSA-8vvp-525h-cxf9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8vvp-525h-cxf9

Aliases

CVE-2024-27439

Published

2024-03-19T12:30:40Z

Modified

2024-12-06T22:23:07.405704Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Cross-Site Request Forgery in Apache Wicket

Details

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

Database specific

{
    "nvd_published_at": "2024-03-19T11:15:06Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T15:37:44Z"
}

References

Affected packages

Maven / org.apache.wicket:wicket

Package

Name: org.apache.wicket:wicket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wicket/wicket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.1.0

Fixed

9.17.0

Affected versions

9.*

9.1.0

9.2.0

9.3.0

9.4.0

9.5.0

9.6.0

9.7.0

9.8.0

9.9.0

9.9.1

9.10.0

9.11.0

9.12.0

9.13.0

9.14.0

9.15.0

9.16.0

Maven / org.apache.wicket:wicket

Package

Name: org.apache.wicket:wicket; View open source insights on deps.dev
Purl: pkg:maven/org.apache.wicket/wicket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0-M1

Fixed

10.0.0

Affected versions

10.*

10.0.0-M1

10.0.0-M2