Description
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Remediation
References
https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E
Related Vulnerabilities
CVE-2016-2164 Vulnerability in maven package org.apache.openmeetings:openmeetings-server
CVE-2017-1000113 Vulnerability in maven package org.jenkins-ci.plugins:deploy
CVE-2016-3674 Vulnerability in maven package org.jbehave:jbehave-core
CVE-2017-16074 Vulnerability in npm package crossenv
CVE-2011-1498 Vulnerability in maven package org.apache.httpcomponents:httpclient