CVE-2016-6793

CWE-502Deserialization of Untrusted Data3 documents3 sources
Severity
9.1CRITICAL
EPSS
3.6%
top 12.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Wicket
Timeline
PublishedJul 17
Latest updateMay 14

Description

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages1 packages

NVDapache/wicket1.5.01.5.17+1

🔴Vulnerability Details

2
GHSA
GHSA-9q62-9q86-v696: The DiskFileItem class in Apache Wicket 62022-05-14
CVEList
CVE-2016-6793: The DiskFileItem class in Apache Wicket 62017-07-14
CVE-2016-6793 (CRITICAL CVSS 9.1) | The DiskFileItem class in Apache Wi | cvebase.io