Cross-site Request Forgery (CSRF) Affecting org.apache.wicket:wicket-core package, versions [6.20.0,6.25.0) [7.0.0,7.5.0) [8-alpha,8.0.0-M2)


0.0
high
  • Attack Complexity

    Low

  • User Interaction

    Required

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHEWICKET-31018

  • published

    9 Nov 2016

  • disclosed

    9 Nov 2016

  • credit

    Gerben Janssen van Doorn

Overview

org.apache.wicket:wicket-core Affected versions of Apache Wicket provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.