Homepage
About Snyk

org.apache.wicket:wicket-util@6.18.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.wicket:wicket-util package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Deserialization of Untrusted Data

org.apache.wicket:wicket-util is a Component-based Java web framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Depending on the ISerializer set in the Wicket application, it's possible that a Wicket's object deserialized from an untrusted source and utilized by the application to causes the code to enter in an infinite loop. Specifically, Wicket's DiskFileItem class, serialized by Kryo, allows an attacker to hack its serialized form to put a client on an infinite loop if the client attempts to write on the DeferredFileOutputStream attribute.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.wicket:wicket-util to version 1.5.17, 6.25.0 or higher.

[1.5.0,1.5.17) [6.0.0,6.25.0)
  • H
Inadequate Encryption Strength

org.apache.wicket:wicket-util Affected versions of the package are vulnerable to Inadequate Encryption Strength. With Wicket's default security settings the usage of CryptoMapper to encrypt/obfuscate pages' urls is not strong enough. It is possible to predict the encrypted version of an url based on the previous history.

[,1.5.13) [6,6.19 .0) [7-alpha,7.0.0-M5)
Go back to all versions of this package