[ANNOUNCE] CVE-2016-6806: Apache Wicket CSRF detection vulnerability

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ANNOUNCE] CVE-2016-6806: Apache Wicket CSRF detection vulnerability

Martijn Dashorst-4
CVE-2016-6806: Apache Wicket CSRF detection vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0, 7.0.0,
7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1

Description: Affected versions of Apache Wicket provide a CSRF prevention
measure that fails to discover some cross origin requests. The mitigation is
to not only check the Origin HTTP header, but also take the Referer HTTP
header into account when no Origin was provided. Furthermore, not all
Wicket server side targets were subjected to the CSRF check. This was also
fixed.

Mitigation: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to
7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.

Credit: This issue was discovered by Gerben Janssen van Doorn

References: https://wicket.apache.org/news

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]