Description
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Remediation
References
https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E
Related Vulnerabilities
CVE-2018-1999046 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2011-2204 Vulnerability in maven package org.apache.tomcat:catalina
CVE-2015-2080 Vulnerability in maven package org.eclipse.jetty.aggregate:jetty-all
CVE-2011-1498 Vulnerability in maven package org.apache.httpcomponents:httpclient
CVE-2007-5333 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core