CVE-2024-27439

MEDIUM

Apache Wicket <9.16.0 - Auth Bypass

Title source: llm

Description

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

References (2)

[Mailing List] http://www.openwall.com/lists/oss-security/2024/03/19/2

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo

Scores

CVSS v3 6.5

EPSS 0.0057

EPSS Percentile 68.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-444 CWE-352

Status published

Products (3)

apache/wicket 10.0.0 milestone1 (2 CPE variants)

apache/wicket 9.1.0 - 9.17.0

org.apache.wicket/wicket 9.1.0 - 9.17.0Maven

Published Mar 19, 2024

Tracked Since Feb 18, 2026