Описание
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
A flaw was found in Apache Wicket. Under certain circumstances, this flaw allows an attacker to bypass Cross-Site Request Forgery (CSRF) protections.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Applications 6 | org.jboss.windup-windup-parent | Will not fix | ||
| Migration Toolkit for Runtimes | org.jboss.windup-windup-parent | Not affected | ||
| Red Hat Fuse 7 | org.ops4j.pax-url | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | io.opentelemetry-opentelemetry-java-instrumentation | Not affected |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Уязвимость фреймворка для создания веб-приложений на языке Java Apache Wicket, связанная с подделкой межсайтовых запросов, позволяющая нарушителю осуществить CSRF-атаку
8.1 High
CVSS3