You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Martin Grigorov <mg...@apache.org> on 2014/02/21 13:49:47 UTC
CVE-2014-0043
Severity: Important
Vendor:
The Apache Software Foundation
Affected versions:
Apache Wicket 1.5.10 and 6.13.0
Description CVE-2014-0043<https://wicket.apache.org/2014/02/06/cve-2014-0043.html>
:
By issuing requests to special urls handled by Wicket it is possible to
check for the existence of particular classes in the classpath and thus
check whether a third party library with a known security vulnerability is
in use.
The application developers are recommended to upgrade to:
- Apache Wicket
1.5.11<https://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html>
- Apache Wicket
6.14.0<https://wicket.apache.org/2013/05/17/wicket-6.14.0-released.html>
Credit:
This issue was reported by Christian Schneider!
Apache Wicket Team
Re: CVE-2014-0043
Posted by Martin Grigorov <mg...@apache.org>.
Earlier versions are affected too.
Martin Grigorov
Wicket Training and Consulting
On Fri, Feb 21, 2014 at 4:13 PM, Nick Pratt <nb...@gmail.com> wrote:
> Martin
>
> Is this specific to 6.13 or does the problem exist in earlier Wicket
> versions on the 6.x branch?
>
> Regards
>
> Nick
>
>
> On Fri, Feb 21, 2014 at 7:49 AM, Martin Grigorov <mgrigorov@apache.org
> >wrote:
>
> > Severity: Important
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Affected versions:
> > Apache Wicket 1.5.10 and 6.13.0
> >
> > Description CVE-2014-0043<
> > https://wicket.apache.org/2014/02/06/cve-2014-0043.html>
> > :
> >
> > By issuing requests to special urls handled by Wicket it is possible to
> > check for the existence of particular classes in the classpath and thus
> > check whether a third party library with a known security vulnerability
> is
> > in use.
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket
> > 1.5.11<https://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html>
> > - Apache Wicket
> > 6.14.0<https://wicket.apache.org/2013/05/17/wicket-6.14.0-released.html>
> >
> > Credit:
> > This issue was reported by Christian Schneider!
> >
> > Apache Wicket Team
> >
>
Re: CVE-2014-0043
Posted by Nick Pratt <nb...@gmail.com>.
Martin
Is this specific to 6.13 or does the problem exist in earlier Wicket
versions on the 6.x branch?
Regards
Nick
On Fri, Feb 21, 2014 at 7:49 AM, Martin Grigorov <mg...@apache.org>wrote:
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Affected versions:
> Apache Wicket 1.5.10 and 6.13.0
>
> Description CVE-2014-0043<
> https://wicket.apache.org/2014/02/06/cve-2014-0043.html>
> :
>
> By issuing requests to special urls handled by Wicket it is possible to
> check for the existence of particular classes in the classpath and thus
> check whether a third party library with a known security vulnerability is
> in use.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket
> 1.5.11<https://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html>
> - Apache Wicket
> 6.14.0<https://wicket.apache.org/2013/05/17/wicket-6.14.0-released.html>
>
> Credit:
> This issue was reported by Christian Schneider!
>
> Apache Wicket Team
>
Re: CVE-2014-0043
Posted by Martin Grigorov <mg...@apache.org>.
https://wicket.apache.org/2014/02/21/cve-2014-0043.html
Martin Grigorov
Wicket Training and Consulting
On Fri, Feb 21, 2014 at 4:30 PM, Pierre Goupil <go...@gmail.com>wrote:
> Good afternoon,
>
> Sorry but the first link gives me a 404.
>
> Regards,
>
> Pierre
>
>
>
Re: CVE-2014-0043
Posted by Pierre Goupil <go...@gmail.com>.
Good afternoon,
Sorry but the first link gives me a 404.
Regards,
Pierre
Re: CVE-2014-0043
Posted by Martin Grigorov <mg...@apache.org>.
Hi Jan,
Yes, wrong url in the mail...
The correct is https://wicket.apache.org/2014/02/21/cve-2014-0043.html
1.4.x is not affected.
Martin Grigorov
Wicket Training and Consulting
On Fri, Feb 21, 2014 at 4:58 PM, Jan Loose <Ja...@cleverlance.com>wrote:
> Hi Martin,
>
> the page https://wicket.apache.org/2014/02/06/cve-2014-0043.html returns
> NotFound. Is the 1.4 branch affected too?
>
> Thx,
> H.
>
>
> On 21 Feb 2014, at 13:49, Martin Grigorov <mgrigorov@apache.org<mailto:
> mgrigorov@apache.org>> wrote:
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Affected versions:
> Apache Wicket 1.5.10 and 6.13.0
>
> Description CVE-2014-0043<
> https://wicket.apache.org/2014/02/06/cve-2014-0043.html>
> :
>
> By issuing requests to special urls handled by Wicket it is possible to
> check for the existence of particular classes in the classpath and thus
> check whether a third party library with a known security vulnerability is
> in use.
>
> The application developers are recommended to upgrade to:
> - Apache Wicket
> 1.5.11<https://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html>
> - Apache Wicket
> 6.14.0<https://wicket.apache.org/2013/05/17/wicket-6.14.0-released.html>
>
> Credit:
> This issue was reported by Christian Schneider!
>
> Apache Wicket Team
>
>
Re: CVE-2014-0043
Posted by Jan Loose <Ja...@cleverlance.com>.
Hi Martin,
the page https://wicket.apache.org/2014/02/06/cve-2014-0043.html returns NotFound. Is the 1.4 branch affected too?
Thx,
H.
On 21 Feb 2014, at 13:49, Martin Grigorov <mg...@apache.org>> wrote:
Severity: Important
Vendor:
The Apache Software Foundation
Affected versions:
Apache Wicket 1.5.10 and 6.13.0
Description CVE-2014-0043<https://wicket.apache.org/2014/02/06/cve-2014-0043.html>
:
By issuing requests to special urls handled by Wicket it is possible to
check for the existence of particular classes in the classpath and thus
check whether a third party library with a known security vulnerability is
in use.
The application developers are recommended to upgrade to:
- Apache Wicket
1.5.11<https://wicket.apache.org/2014/02/06/wicket-1.5.11-released.html>
- Apache Wicket
6.14.0<https://wicket.apache.org/2013/05/17/wicket-6.14.0-released.html>
Credit:
This issue was reported by Christian Schneider!
Apache Wicket Team