CVE-2024-27439

CWE-352Cross-Site Request Forgery (CSRF)CWE-444HTTP Request SmugglingCWE-8075 documents5 sources
Severity
6.5MEDIUM
EPSS
0.6%
top 31.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache WicketApache Wicket
Timeline
PublishedMar 19

Description

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

NVDapache/wicket9.1.09.17.0+1
Mavenorg.apache.wicket:wicket9.1.09.17.0+1
CVEListV5apache_software_foundation/apache_wicket10.0.0-M110.0.0+1

🔴Vulnerability Details

3
OSV
Cross-Site Request Forgery in Apache Wicket2024-03-19
CVEList
Apache Wicket: Possible bypass of CSRF protection2024-03-19
GHSA
Cross-Site Request Forgery in Apache Wicket2024-03-19

📋Vendor Advisories

1
Red Hat
apache-wicket: Possible bypass of CSRF protection2024-03-19
CVE-2024-27439 (MEDIUM CVSS 6.5) | An error in the evaluation of the f | cvebase.io