Lucene search

GitHub Advisory DatabaseGHSA-HMHG-95WH-R699

HistoryMay 24, 2022 - 7:03 p.m.

DNS based denial of service in Apache Wicket

2022-05-2419:03:11

CWE-20

GitHub Advisory Database

github.com

denial of service

dns lookup

apache wicket

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

51.8%

JSON

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

Affected configurations

Vulners

Node

org.apache.wicketwicket-coreRange<7.18.0

org.apache.wicketwicket-coreRange8.0.0–8.12.0

org.apache.wicketwicket-coreRange9.0.0–9.3.0

VendorProductVersionCPE
org.apache.wicketwicket-core*cpe:2.3:a:org.apache.wicket:wicket-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.wicket	wicket-core	*	cpe:2.3:a:org.apache.wicket:wicket-core::::::::

References

www.openwall.com/lists/oss-security/2021/05/25/2

github.com/advisories/GHSA-hmhg-95wh-r699

github.com/apache/wicket/commit/84f62a5cff462eaa3bfaf171b0638c7e7feea30d

lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E

lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E

lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E

lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E

lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d@%3Cusers.wicket.apache.org%3E

lists.apache.org/thread.html/rce158bb896c9ef812393a11646fdef7b9023833e54854c4302ff7b70@%3Cdev.wicket.apache.org%3E

lists.apache.org/thread.html/rce23bba1e11368f9f4cccce0e9b02b88dcdac4e4b2304e66bd098cf5@%3Cannounce.wicket.apache.org%3E

nvd.nist.gov/vuln/detail/CVE-2021-23937

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

51.8%

JSON

Related for GHSA-HMHG-95WH-R699