Homepage
About Snyk

org.apache.wicket:wicket-util@6.19.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.wicket:wicket-util package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Deserialization of Untrusted Data

org.apache.wicket:wicket-util is a Component-based Java web framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Depending on the ISerializer set in the Wicket application, it's possible that a Wicket's object deserialized from an untrusted source and utilized by the application to causes the code to enter in an infinite loop. Specifically, Wicket's DiskFileItem class, serialized by Kryo, allows an attacker to hack its serialized form to put a client on an infinite loop if the client attempts to write on the DeferredFileOutputStream attribute.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.wicket:wicket-util to version 1.5.17, 6.25.0 or higher.

[1.5.0,1.5.17) [6.0.0,6.25.0)
Go back to all versions of this package