[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2020-11976] Apache Wicket information disclosure vulnerability
From:       svenmeier () apache ! org
Date:       2020-08-10 16:24:20
Message-ID: 61e677d2-4c00-acba-de1b-6366983bef8b () meiers ! net
[Download RAW message or body]

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5

Description:

By crafting a special URL it is possible to make Wicket deliver 
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information 
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never 
supposed to be visible to the client:

   <wicket:remove>
      some secret
   </wicket:remove>

The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>

Credit:
The vulnerability has been found and reported by Mariusz Popławski from 
Afine.

Apache Wicket Team

[prev in list] [next in list] [prev in thread] [next in thread]