www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martijn Dashorst <dasho...@apache.org>
Subject [ANNOUNCE] CVE-2016-6806: Apache Wicket CSRF detection vulnerability
Date Tue, 08 Nov 2016 12:07:52 GMT
CVE-2016-6806: Apache Wicket CSRF detection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 7.0.0,
7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1

Description: Affected versions of Apache Wicket provide a CSRF prevention
measure that fails to discover some cross origin requests. The mitigation is
to not only check the Origin HTTP header, but also take the Referer HTTP
header into account when no Origin was provided. Furthermore, not all
Wicket server side targets were subjected to the CSRF check. This was also
fixed.

Mitigation: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to
7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.

Credit: This issue was discovered by Gerben Janssen van Doorn

References: https://wicket.apache.org/news

Mime
View raw message