CVE-2021-23937

CWE-200Information ExposureCWE-20Improper Input Validation4 documents4 sources
Severity
7.5HIGH
EPSS
5.2%
top 10.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache WicketApache Wicket
Timeline
PublishedMay 25
Latest updateMay 24

Description

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apa

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.wicket:wicket-core9.0.09.3.0+2
CVEListV5apache_software_foundation/apache_wicket6.2.0Apache Wicket 6.x*+3
NVDapache/wicket6.0.06.2.0+3

🔴Vulnerability Details

3
OSV
DNS based denial of service in Apache Wicket2022-05-24
GHSA
DNS based denial of service in Apache Wicket2022-05-24
CVEList
DNS proxy and possible amplification attack2021-05-25