An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.
Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
Metrics
Affected Vendors & Products
References
History
Fri, 06 Dec 2024 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
cvssV3_1
|
ssvc
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2024-03-19T11:07:47.648Z
Updated: 2024-12-06T20:15:21.179Z
Reserved: 2024-02-25T20:15:40.414Z
Link: CVE-2024-27439
Vulnrichment
Updated: 2024-08-02T00:34:52.295Z
NVD
Status : Awaiting Analysis
Published: 2024-03-19T11:15:06.537
Modified: 2024-12-06T21:15:06.447
Link: CVE-2024-27439
Redhat