An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
History

Fri, 06 Dec 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-03-19T11:07:47.648Z

Updated: 2024-12-06T20:15:21.179Z

Reserved: 2024-02-25T20:15:40.414Z

Link: CVE-2024-27439

cve-icon Vulnrichment

Updated: 2024-08-02T00:34:52.295Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-19T11:15:06.537

Modified: 2024-12-06T21:15:06.447

Link: CVE-2024-27439

cve-icon Redhat

Severity : Important

Publid Date: 2024-03-19T00:00:00Z

Links: CVE-2024-27439 - Bugzilla