| I"]<p><em>Severity</em>: Low</p> |
| |
| <p><em>Vendor</em>: The Apache Software Foundation</p> |
| |
| <p><em>Versions Affected</em>: Apache Wicket 6.x and 1.5.x</p> |
| |
| <p><em>Description</em>: Depending on the ISerializer set in the Wicket application, |
| it’s possible that a Wicket’s object deserialized from an untrusted source |
| and utilized by the application to causes the code to enter in an infinite |
| loop. Specifically, Wicket’s DiskFileItem class, serialized by Kryo, allows |
| an attacker to hack its serialized form to put a client on an infinite loop |
| if the client attempts to write on the DeferredFileOutputStream attribute.</p> |
| |
| <p><em>Mitigation</em>: Upgrade to Apache Wicket 6.25.0 or 1.5.17</p> |
| |
| <p><em>Credit</em>: This issue was discovered |
| by Jacob Baines, Tenable Network Security and Pedro Santos</p> |
| |
| <p>References: https://wicket.apache.org/news</p> |
| :ET |