Description
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Remediation
References
https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E
Related Vulnerabilities
CVE-2016-0791 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2019-10247 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2019-10243 Vulnerability in maven package org.eclipse.kura:target-platform
CVE-2016-6345 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs
CVE-2019-10083 Vulnerability in maven package org.apache.nifi:nifi-web-api