[CVE-2020-11976] Apache Wicket information disclosure vulnerability

[svenmeier () apache org]

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5

Description:

By crafting a special URL it is possible to make Wicket deliver 
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information 
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never 
supposed to be visible to the client:

  <wicket:remove>
     some secret
  </wicket:remove>

The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>

Credit:
The vulnerability has been found and reported by Mariusz Popławski from 
Afine.

Apache Wicket Team