CVE-2024-27439

CVE-2024-27439: Apache Wicket: Possible bypass of CSRF protection

Vendor Apache Software Foundation

Product Apache Wicket

Weakness CWE-352 · CSRF

Published March 19, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket. This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series. Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected. Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

Key dates

Disclosure timeline

March 19, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-27439

CWE CWE-352

Affected versions

Vendor Apache Software Foundation

Product Apache Wicket

Affected ≥ 9.1.0 and ≤ 9.16.0

Vendor Apache Software Foundation

Product Apache Wicket

Affected ≥ 10.0.0-M1 and < 10.0.0