CVE-2024-36522 Apache Wicket: Remote code execution via XSLT injection

2024-07-1212:13:51

CWE-74

apache

github.com

apache wicket xslt injection remote code execution upgrade fix

AI Score

8.1

Confidence

Low

EPSS

Percentile

9.3%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Wicket",
    "versions": [
      {
        "status": "affected",
        "version": "10.0.0-M1",
        "versionType": "semver",
        "lessThanOrEqual": "10.0.0"
      },
      {
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "9.17.0"
      },
      {
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "8.15.0"
      }
    ],
    "packageName": "org.apache.wicket:wicket-util",
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected"
  }
]

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:apache:wicket:10.0.0-m1:*:*:*:*:*:*:*",
      "cpe:2.3:a:apache:wicket:8.0.0:*:*:*:*:*:*:*",
      "cpe:2.3:a:apache:wicket:9.0.0:*:*:*:*:*:*:*"
    ],
    "vendor": "apache",
    "product": "wicket",
    "versions": [
      {
        "status": "affected",
        "version": "10.0.0-m1",
        "versionType": "semver",
        "lessThanOrEqual": "10.0.0"
      },
      {
        "status": "affected",
        "version": "8.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "8.15.0"
      },
      {
        "status": "affected",
        "version": "9.0.0",
        "versionType": "semver",
        "lessThanOrEqual": "9.17.0"
      }
    ],
    "defaultStatus": "unaffected"
  }
]