oss-sec mailing list archives
[CVE-2020-11976] Apache Wicket information disclosure vulnerability
From: svenmeier () apache org
Date: Mon, 10 Aug 2020 18:24:20 +0200
Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5 Description:By crafting a special URL it is possible to make Wicket deliver unprocessed HTML templates. This would allow an attacker to see possibly sensitive information inside a HTML template that is usually removed during rendering. For example if there are credentials in the markup which are never supposed to be visible to the client:
<wicket:remove> some secret </wicket:remove> The application developers are recommended to upgrade to: - Apache Wicket 7.17.0 <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html> - Apache Wicket 8.9.0 <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html> - Apache Wicket 9.0.0 <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html> Credit:The vulnerability has been found and reported by Mariusz Popławski from Afine.
Apache Wicket Team
Current thread:
- [CVE-2020-11976] Apache Wicket information disclosure vulnerability svenmeier (Aug 10)