org.apache.wicket:wicket-util 6.23.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.wicket:wicket-util package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Arbitrary Command Execution org.apache.wicket:wicket-util is a Component-based Java web framework. Affected versions of this package are vulnerable to Arbitrary Command Execution via XSLT injection in `XSLTResourceStream.java`, which does not set `FEATURE_SECURE_PROCESSING` by default. Exploiting this vulnerability is possible when processing input from an untrusted source without validation. How to fix Arbitrary Command Execution? Upgrade `org.apache.wicket:wicket-util` to version 8.16.0, 9.18.0, 10.1.0 or higher.	[,8.16.0)[9.0.0,9.18.0)[10.0.0-M1,10.1.0)
C Deserialization of Untrusted Data org.apache.wicket:wicket-util is a Component-based Java web framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Depending on the `ISerializer` set in the Wicket application, it's possible that a Wicket's object deserialized from an untrusted source and utilized by the application to causes the code to enter in an infinite loop. Specifically, Wicket's `DiskFileItem` class, serialized by Kryo, allows an attacker to hack its serialized form to put a client on an infinite loop if the client attempts to write on the `DeferredFileOutputStream` attribute. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.wicket:wicket-util` to version 1.5.17, 6.25.0 or higher.	[1.5.0,1.5.17)[6.0.0,6.25.0)

Vulnerability

Vulnerable Version

Arbitrary Command Execution

org.apache.wicket:wicket-util is a Component-based Java web framework.

Affected versions of this package are vulnerable to Arbitrary Command Execution via XSLT injection in XSLTResourceStream.java, which does not set FEATURE_SECURE_PROCESSING by default. Exploiting this vulnerability is possible when processing input from an untrusted source without validation.

How to fix Arbitrary Command Execution?

Upgrade org.apache.wicket:wicket-util to version 8.16.0, 9.18.0, 10.1.0 or higher.

[,8.16.0)[9.0.0,9.18.0)[10.0.0-M1,10.1.0)

Deserialization of Untrusted Data

org.apache.wicket:wicket-util is a Component-based Java web framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Depending on the ISerializer set in the Wicket application, it's possible that a Wicket's object deserialized from an untrusted source and utilized by the application to causes the code to enter in an infinite loop. Specifically, Wicket's DiskFileItem class, serialized by Kryo, allows an attacker to hack its serialized form to put a client on an infinite loop if the client attempts to write on the DeferredFileOutputStream attribute.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.wicket:wicket-util to version 1.5.17, 6.25.0 or higher.

[1.5.0,1.5.17)[6.0.0,6.25.0)

org.apache.wicket:wicket-util@6.23.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?