Wicket possible bypass of CSRF protection
Issue date: 02-10-2024Affects versions: 15.6, 15.5, 15.4, 15.2, 15.1, 15.0
Security Issue ID
SECURITY-545
Affected Product Version(s)
15.6.0 (and previous patch releases)
Severity
Medium
Description
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
CVSS v3 Base Score: N/A
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-352: Cross-Site Request Forgery (CSRF)
Instructions
Customers are recommended to upgrade to the latest version. As of the time of writing, 15.7.0.