CVE-2024-36522 – org.apache.wicket:wicket-util

Package

Manager: maven
Name: org.apache.wicket:wicket-util
Vulnerable Version: >=10.0.0-m1 <10.1.0 || >=9.0.0 <9.18.0 || >=8.0.0 <8.16.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0625 pctl0.90531

Details

Apache Wicket: Remote code execution via XSLT injection The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Metadata

Created: 2024-07-12T15:31:26Z
Modified: 2024-07-18T15:19:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-hhwc-gh8h-9rrp/GHSA-hhwc-gh8h-9rrp.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-hhwc-gh8h-9rrp
Finding: F184
Auto approve: 1