content/news/2016/11/08/cve-2016-6806.html - wicket-site - Git at Google

 <!DOCTYPE html>
 <html>
     <head>
         <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
         <meta charset="utf-8">


         <title>CVE-2016-6806 Apache Wicket CSRF detection vulnerability | Apache Wicket</title>
         <meta name="viewport" content="width=device-width, initial-scale=1" />

         <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
         <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
         <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

 		<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>


     </head>
     <body class="">
         <div class="header default">
     <div class="l-container">

 <nav class="mainmenu">
     <div class="nav-logo">
     <a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
 </div>

     <div class="nav-container">


 		<!-- /start/quickstart.html || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/start/quickstart.html" class=" nav-items">Quick Start</a>


 		<!-- /start/download.html || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/start/download.html" class=" nav-items">Download</a>


 		<!-- /learn || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/learn" class=" nav-items">Documentation</a>


 		<!-- /help || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/help" class=" nav-items">Support</a>


 		<!-- /contribute || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/contribute" class=" nav-items">Contribute</a>


 		<!-- /community || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/community" class=" nav-items">Community</a>


 		<!-- /apache || /news/2016/11/08/cve-2016-6806.html -->


     	<a href="/apache" class=" nav-items">Apache</a>

     </div>
     <div class="nav-container  ">
         <a href="https://github.com/apache/wicket" target="_blank"><i class="fa fa-github nav-items"></i></a>
         <a href="https://twitter.com/apache_wicket" target="_blank"><i class="fa fa-twitter nav-items"></i></a>
         <a href="https://builtwithwicket.tumblr.com" target="_blank"><i class="fa fa-tumblr nav-items"></i></a>
     </div>
 </nav>

     </div>
 </div>
 <main>
     <div class="l-container">
         <header class="l-full preamble">
             <h1>CVE-2016-6806 Apache Wicket CSRF detection vulnerability</h1>


         </header>
         <section class="toc left post ">
             <div id="toc" class="toc"><div id="toc-title"><h2>Table of Contents</h2></div><ul><li class="toc--level-1 toc--section-1"><a href="#the-application-developers-are-recommended-to-upgrade-to"><span class="toc-number">1</span> <span class="toc-text">The application developers are recommended to upgrade to:</span></a></li></ul></div>
         </section>
         <section>
             <div class="l-full">
     <p class="meta">08 Nov 2016</p>
     <p><em>Severity</em>: Important</p>

 <p><em>Vendor</em>: The Apache Software Foundation</p>

 <p><em>Versions Affected</em>: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0,
 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1</p>

 <p><em>Description</em>: Affected versions of Apache Wicket provide a CSRF prevention
 measure that fails to discover some cross origin requests. The mitigation is to
 not only check the Origin HTTP header, but also take the Referer HTTP header
 into account when no Origin was provided. Furthermore, not all Wicket server
 side targets were subjected to the CSRF check. This was also fixed.</p>

 <p><em>Mitigation</em>: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to
 7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.</p>

 <p><em>Credit</em>: This issue was discovered by Gerben Janssen van Doorn</p>

 <p>References: https://wicket.apache.org/news</p>

 <h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>

 <ul>
   <li><a href="/news/2016/10/26/wicket-6.25.0-released.html">Apache Wicket 6.25.0</a></li>
   <li><a href="/news/2016/10/26/wicket-7.5.0-released.html">Apache Wicket 7.5.0</a></li>
   <li><a href="/news/2016/10/26/wicket-8.0.0-M2-released.html">Apache Wicket 8.0.0-M2</a></li>
 </ul>

 <p>Users of Wicket verions prior to 6.20 are not affected because the particular
 component was introduced in 6.20.0.</p>

 </div>


         </section>
     </div>
 </main>

         <footer>
             <div class="l-container">
     <div class="left">
         <img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
         <div style="margin-top:12px;">Copyright © 2021 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
     </div>
 </div>

         </footer>
     </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<meta charset="utf-8">



	<title>CVE-2016-6806 Apache Wicket CSRF detection vulnerability \| Apache Wicket</title>
	<meta name="viewport" content="width=device-width, initial-scale=1" />

	<link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" />
	<link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" />
	<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" />

	<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>


	</head>
	<body class="">
	<div class="header default">
	<div class="l-container">

	<nav class="mainmenu">
	<div class="nav-logo">
	<a href="/"><img src="/img/logo-apachewicket.svg" alt="Apache Wicket"></a>
	</div>

	<div class="nav-container">





	<!-- /start/quickstart.html \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/start/quickstart.html" class=" nav-items">Quick Start</a>





	<!-- /start/download.html \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/start/download.html" class=" nav-items">Download</a>





	<!-- /learn \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/learn" class=" nav-items">Documentation</a>





	<!-- /help \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/help" class=" nav-items">Support</a>





	<!-- /contribute \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/contribute" class=" nav-items">Contribute</a>





	<!-- /community \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/community" class=" nav-items">Community</a>





	<!-- /apache \|\| /news/2016/11/08/cve-2016-6806.html -->



	<a href="/apache" class=" nav-items">Apache</a>

	</div>
	<div class="nav-container ">
	<a href="https://github.com/apache/wicket" target="_blank"><i class="fa fa-github nav-items"></i></a>
	<a href="https://twitter.com/apache_wicket" target="_blank"><i class="fa fa-twitter nav-items"></i></a>
	<a href="https://builtwithwicket.tumblr.com" target="_blank"><i class="fa fa-tumblr nav-items"></i></a>
	</div>
	</nav>

	</div>
	</div>
	<main>
	<div class="l-container">
	<header class="l-full preamble">
	<h1>CVE-2016-6806 Apache Wicket CSRF detection vulnerability</h1>



	</header>
	<section class="toc left post ">
	<div id="toc" class="toc"><div id="toc-title"><h2>Table of Contents</h2></div><ul><li class="toc--level-1 toc--section-1"><a href="#the-application-developers-are-recommended-to-upgrade-to"><span class="toc-number">1</span> <span class="toc-text">The application developers are recommended to upgrade to:</span></a></li></ul></div>
	</section>
	<section>
	<div class="l-full">
	<p class="meta">08 Nov 2016</p>
	<p><em>Severity</em>: Important</p>

	<p><em>Vendor</em>: The Apache Software Foundation</p>

	<p><em>Versions Affected</em>: Apache Wicket 6.20.0, 6.21.0, 6.22.0, 6.23.0, 6.24.0,
	7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0 and 8.0.0-M1</p>

	<p><em>Description</em>: Affected versions of Apache Wicket provide a CSRF prevention
	measure that fails to discover some cross origin requests. The mitigation is to
	not only check the Origin HTTP header, but also take the Referer HTTP header
	into account when no Origin was provided. Furthermore, not all Wicket server
	side targets were subjected to the CSRF check. This was also fixed.</p>

	<p><em>Mitigation</em>: 6.x users should upgrade to 6.25.0, 7.x users should upgrade to
	7.5.0 and 8.0.0-M1 users should upgrade to 8.0.0-M2.</p>

	<p><em>Credit</em>: This issue was discovered by Gerben Janssen van Doorn</p>

	<p>References: https://wicket.apache.org/news</p>

	<h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2>

	<ul>
	<li><a href="/news/2016/10/26/wicket-6.25.0-released.html">Apache Wicket 6.25.0</a></li>
	<li><a href="/news/2016/10/26/wicket-7.5.0-released.html">Apache Wicket 7.5.0</a></li>
	<li><a href="/news/2016/10/26/wicket-8.0.0-M2-released.html">Apache Wicket 8.0.0-M2</a></li>
	</ul>

	<p>Users of Wicket verions prior to 6.20 are not affected because the particular
	component was introduced in 6.20.0.</p>

	</div>


	</section>
	</div>
	</main>

	<footer>
	<div class="l-container">
	<div class="left">
	<img src="/img/asf_logo_url.svg" style="height:90px; float:left; margin-right:10px;">
	<div style="margin-top:12px;">Copyright © 2021 — The Apache Software Foundation. Apache Wicket, Wicket, Apache, the Apache feather logo, and the Apache Wicket project logo are trademarks of The Apache Software Foundation. All other marks mentioned may be trademarks or registered trademarks of their respective owners.</div>
	</div>
	</div>

	</footer>
	</body>
	</html>