Lucene search

GitHub Advisory DatabaseGHSA-HHWC-GH8H-9RRP

HistoryJul 12, 2024 - 3:31 p.m.

Apache Wicket: Remote code execution via XSLT injection

2024-07-1215:31:26

CWE-74

GitHub Advisory Database

github.com

apache wicket

xslt injection

remote code execution

configuration

upgrade

validation

untrusted source

security issue

software

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.3%

JSON

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

Affected configurations

Vulners

Node

org.apache.wicketwicket-utilRange8.0.0–8.16.0

org.apache.wicketwicket-utilRange9.0.0–9.18.0

org.apache.wicketwicket-utilRange10.0.0-M1–10.1.0

VendorProductVersionCPE
org.apache.wicketwicket-util*cpe:2.3:a:org.apache.wicket:wicket-util:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.wicket	wicket-util	*	cpe:2.3:a:org.apache.wicket:wicket-util::::::::

References

www.openwall.com/lists/oss-security/2024/07/12/2

github.com/advisories/GHSA-hhwc-gh8h-9rrp

lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc

nvd.nist.gov/vuln/detail/CVE-2024-36522

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.3%

JSON

Related for GHSA-HHWC-GH8H-9RRP