CVE-2024-27439 – org.apache.wicket:wicket

Package

Manager: maven
Name: org.apache.wicket:wicket
Vulnerable Version: >=9.1.0 <9.17.0 || >=10.0.0-m1 <10.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00303 pctl0.53076

Details

Cross-Site Request Forgery in Apache Wicket An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

Metadata

Created: 2024-03-19T12:30:40Z
Modified: 2025-02-13T19:05:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8vvp-525h-cxf9/GHSA-8vvp-525h-cxf9.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-8vvp-525h-cxf9
Finding: F007
Auto approve: 1