| I"ý<p>Severity: Important</p> |
| |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| |
| <p>Versions Affected: |
| Apache Wicket 1.5.x, 6.x and 7.x</p> |
| |
| <p>Description:</p> |
| |
| <p>CVE-2016-3092: A malicious client can send file upload requests that cause the HTTP server |
| using the Apache Commons Fileupload library to become unresponsive, preventing |
| the server from servicing other requests.</p> |
| |
| <p>This flaw is not exploitable beyond causing the code to loop expending |
| CPU resources.</p> |
| |
| <p>CVE-2013-2186: |
| The DiskFileItem class in Apache Commons FileUpload allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.</p> |
| |
| <h2 id="the-application-developers-are-recommended-to-upgrade-to">The application developers are recommended to upgrade to:</h2> |
| |
| <ul> |
| <li><a href="/news/2016/08/05/wicket-1.5.16-released.html">Apache Wicket 1.5.16</a></li> |
| <li><a href="/news/2016/07/21/wicket-6.24.0-released.html">Apache Wicket 6.24.0</a></li> |
| <li><a href="/news/2016/07/21/wicket-7.4.0-released.html">Apache Wicket 7.4.0</a></li> |
| </ul> |
| |
| <p>Since version 7.0.0 Apache Wicket does not embed Apache Commons FileUpload but uses it as a Maven dependency so an application can just update the dependency to version 1.3.2.</p> |
| |
| <p>Apache Wicket Team</p> |
| :ET |