oss-security - CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <6a508792-1abe-83b2-c675-f60d2efab9dc@apache.org>
Date: Tue, 19 Mar 2024 10:47:38 +0000
From: Emond Papegaaij <papegaaij@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection 

Severity: moderate

Affected versions:

- Apache Wicket 9.1.0 through 9.16.0
- Apache Wicket 10.0.0-M1 before 10.0.0

Description:

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

Credit:

Jo Theunis (finder)

References:

https://wicket.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-27439

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.