| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <title>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability | Apache Wicket</title> |
| <meta charset="utf8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> |
| <meta name="viewport" content="width=device-width, initial-scale=1" /> |
| |
| <link rel="shortcut icon" href="/favicon.ico" type="image/vnd.microsoft.icon" /> |
| <link rel="stylesheet" href="/css/style.css" type="text/css" media="screen" /> |
| <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" /> |
| |
| <script src="//code.jquery.com/jquery-1.11.3.min.js"></script> |
| |
| </head> |
| |
| <body class=""> |
| <div class="header default"> |
| <div class="l-container"> |
| <nav class="mainmenu"> |
| <ul> |
| <!-- /start/quickstart.html || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/start/quickstart.html">Quick Start</a></li> |
| <!-- /start/download.html || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/start/download.html">Download</a></li> |
| <!-- /learn || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/learn">Documentation</a></li> |
| <!-- /help || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/help">Support</a></li> |
| <!-- /contribute || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/contribute">Contribute</a></li> |
| <!-- /apache || /news/2014/02/06/cve-2013-2055.html --> |
| <li class=""><a href="/apache">Apache</a></li> |
| </ul> |
| </nav> |
| <div class="logo"> |
| <a href="/"><img src="/img/logo-apachewicket-white.svg" alt="Apache Wicket"></a> |
| </div> |
| </div> |
| </div> |
| <main> |
| <div class="l-container"> |
| <header class="l-full preamble"> |
| <h1>CVE-2013-2055 - Apache Wicket Information disclosure vulnerability</h1> |
| </header> |
| <section class="l-one-third right"> |
| </section> |
| <section class="l-two-third left"> |
| <div class="l-full"> |
| <p class="meta">06 Feb 2014</p> |
| <p>Severity: Important</p> |
| <p>Vendor: |
| The Apache Software Foundation</p> |
| <p>Versions Affected: |
| Apache Wicket 1.4.22, 1.5.10 and 6.7.0</p> |
| <p>Description: |
| It is possible to make Wicket deliver the HTML templates in their raw/non-processed form. |
| An attacker could see any sensitive information in the part of the HTML template that is usually ignored during rendering. |
| For example if there is sensitive information before or after the Wicket Panel/Border’s markup:</p> |
| <div class="highlight"><pre><code class="language-xml" data-lang="xml">something sensitive here 1 |
| <span class="nt"><wicket:panel></span> |
| real application code |
| <span class="nt"></wicket:panel></span> |
| something sensitive here 2</code></pre></div> |
| <p>Usually Wicket will render only the “real application code” part but by exploiting this vulnerability an attacker can see also the code with the sensitive information.</p> |
| <p>The application developers are recommended to upgrade to: |
| - <a href="/2014/02/06/wicket-1.4.23-released.html">Apache Wicket 1.4.23</a> |
| - <a href="/2014/02/06/wicket-1.5.11-released.html">Apache Wicket 1.5.11</a> |
| - <a href="/2013/05/17/wicket-6.8.0-released.html">Apache Wicket 6.8.0</a></p> |
| <p>and/or to remove any sensitive information in the HTML templates.</p> |
| <p>Apache Wicket Team</p> |
| </div> |
| </section> |
| </div> |
| </main> |
| <footer class="l-container"> |
| <div class="l-full"> |
| <img height="60px" src="/img/asf_logo.gif" style="float:left"> |
| Copyright © 2014 — The Apache Software Foundation. Apache Wicket, |
| Wicket, Apache, the Apache feather logo, and the Apache Wicket |
| project logo are trademarks of The Apache Software Foundation. All |
| other marks mentioned may be trademarks or registered trademarks of |
| their respective owners. |
| </div> |
| </footer> |
| </body> |
| |
| </html> |