Description

In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.

Remediation

References

https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E

Related Vulnerabilities

CVE-2018-1334 Vulnerability in maven package org.apache.spark:spark-core_2.11

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2013-4590 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-jasper

CVE-2017-16073 Vulnerability in npm package noderequest

CVE-2016-0706 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N