Home > Vulnerability Database > CVE-2024-27439

Mend.io Vulnerability Database

CVE-2024-27439

Good to know:

Date: March 19, 2024

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

Language: Java

Severity Score

5.5

Related Resources (4)

Url: https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-27439

Url: http://www.openwall.com/lists/oss-security/2024/03/19/2

Url: https://www.mend.io/vulnerability-database/CVE-2024-27439

Severity Score

5.5

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-444

Top Fix

Upgrade Version

Upgrade to version org.apache.wicket:wicket-core:9.17.0

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-27439

Good to know:

Date: March 19, 2024

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?