[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2020-11976] Apache Wicket information disclosure vulnerability
From: svenmeier () apache ! org
Date: 2020-08-10 16:24:20
Message-ID: 61e677d2-4c00-acba-de1b-6366983bef8b () meiers ! net
[Download RAW message or body]
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
Description:
By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never
supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
Credit:
The vulnerability has been found and reported by Mariusz Popławski from
Afine.
Apache Wicket Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic