CVE-2021-23937 DNS proxy and possible amplification attack

2021-05-2508:05:10

apache

www.cve.org

cve-2021-23937

dns proxy

amplification attack

webclientinfo

apache wicket

denial of service

EPSS

0.002

Percentile

51.8%

JSON

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

CNA Affected

[
  {
    "product": "Apache Wicket",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "9.2.0",
        "status": "affected",
        "version": "Apache Wicket 9.x",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "8.11.0",
        "status": "affected",
        "version": "Apache Wicket 8.x",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "7.17.0",
        "status": "affected",
        "version": "Apache Wicket 7.x",
        "versionType": "custom"
      },
      {
        "lessThan": "Apache Wicket 6.x*",
        "status": "affected",
        "version": "6.2.0",
        "versionType": "custom"
      }
    ]
  }
]