CVE-2024-27439

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-27439
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.
CVSS

No CVSS.

References
Link Resource
http://www.openwall.com/lists/oss-security/2024/03/19/2 Mailing List
http://www.openwall.com/lists/oss-security/2024/03/19/2 Mailing List
https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo Mailing List Vendor Advisory
https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*
History

27 Jun 2025, 14:43

Type Values Removed Values Added
CPE cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*
References () https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo - () https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2024/03/19/2 - () http://www.openwall.com/lists/oss-security/2024/03/19/2 - Mailing List
First Time Apache wicket
Apache

13 Feb 2025, 18:17

Type Values Removed Values Added
Summary An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue. An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

06 Dec 2024, 21:15

Type Values Removed Values Added
CWE CWE-352
CWE-444

01 May 2024, 18:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/03/19/2 -

19 Mar 2024, 11:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-19 11:15

Updated : 2025-06-27 14:43

NVD link : CVE-2024-27439

Mitre link : CVE-2024-27439

JSON object : View

Products Affected

apache

  • wicket
CWE

No CWE.