You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@wicket.apache.org by sv...@apache.org on 2020/08/10 16:23:16 UTC
[CVE-2020-11976] Apache Wicket information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
Description:
By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates.
This would allow an attacker to see possibly sensitive information
inside a HTML template that is usually removed during rendering.
For example if there are credentials in the markup which are never
supposed to be visible to the client:
<wicket:remove>
some secret
</wicket:remove>
The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
Credit:
The vulnerability has been found and reported by Mariusz Popławski from
Afine.
Apache Wicket Team
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Martijn Dashorst <ma...@gmail.com>.
On Thu, Aug 11, 2022 at 4:11 PM Chris Colman
<ch...@stepaheadsoftware.com.invalid> wrote:
> On 11/08/2022 7:45 pm, Daniel Stoch wrote:
> > We have a plan to upgrade (at last ;))
> Yeehah!
> > Wicket to a newer version (9.x), but
> > it is not quite easy for a big application
> Our app has 1034 Wicket UI classes - that's just pure Wicket UI classes
>
Mine is bigger than yours! :tongue in cheek:
Secondary education student information system:
$ git grep -l "org.apache.wicket." | wc -l
3825
Sloccount:
java: 1378972 (98.24%)
Primary education student information system:
$ git grep -l "org.apache.wicket." | wc -l
2381
Sloccount:
java: 672676 (96.59%)
Shared component/model/behaviour/other utility classes framework:
$ git grep -l "org.apache.wicket." | wc -l
750
Sloccount:
java: 145353 (100.00%)
All running on Wicket latest. We just migrate when there's a new version
available as soon as possible, because otherwise You Get Left Behind, and
It Gets Scarier to Upgrade and More Expensive (due to more regressions
possible--having to upgrade Java, other libraries, etc).
Martijn
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Matt Pavlovich <ma...@gmail.com>.
+1 upgrading v6 -> v7 -> v8 -> v9 is the way to go.
FWIW our experience has been similar— upgrades take a day, or a couple days at most.
Thanks,
Matt Pavlovich
> On Aug 11, 2022, at 9:09 AM, Chris Colman <ch...@stepaheadsoftware.com.INVALID> wrote:
>
> Hi Daniel,
>
> On 11/08/2022 7:45 pm, Daniel Stoch wrote:
>> We have a plan to upgrade (at last ;))
> Yeehah!
>> Wicket to a newer version (9.x), but
>> it is not quite easy for a big application
> Our app has 1034 Wicket UI classes - that's just pure Wicket UI classes - don't ask about the number of classes in the business layer/domain model ;)
>> and unfortunately we have to
>> patch Wicket code by ourselves to fix issues described in WICKET-5588
>> (including JavaScript: if this code have many changes between 6.x and 9.x
>> it can be quite hard to do it).
>> It would be much easier to upgrade if this problem was fixed in the
>> standard version of Wicket.
>
> I think jumping from 6 -> 9 directly might be a bit too adventurous - you have to consider all framework changes across 7, 8 and 9.
>
> That's why we decided to migrate one step at a time: "single stepping" from 6->7 (done) then 7->8 then 8->9.
>
> The good thing about 6->7->8 is that you can stick with Java 8 and so not have to be concerned with in any issues that changing your Java version may bring (assuming you're currently using 1.8)
>
>>
>> --
>> Best regards,
>> Daniel Stoch
>>
>>
>>
>> czw., 11 sie 2022 o 10:06 Martin Grigorov <mg...@apache.org> napisał(a):
>>
>>> Hi,
>>>
>>> Wicket 6.x is no more supported.
>>> Wicket 7.x is the current security maintaince branch.
>>>
>>> Your options are:
>>> - patch locally
>>> - upgrade to a newer version
>>>
>>> On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <da...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Is there any JIRA issue for this? I tried to find but none issue in
>>> Wicket
>>>> JIRA points directly to CVE-2020-11976.
>>>> One possible candidate to me is WICKET-6792 :). Am I right? If yes, this
>>> is
>>>> already fixed also for Wicket 6.31.0, can you release this version?
>>>>
>>>> --
>>>> Best regards,
>>>> Daniel Stoch
>>>>
>>>>
>>>> pon., 10 sie 2020 o 18:23 <sv...@apache.org> napisał(a):
>>>>
>>>>> Severity: Important
>>>>>
>>>>> Vendor:
>>>>> The Apache Software Foundation
>>>>>
>>>>> Versions Affected:
>>>>> Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
>>>>>
>>>>> Description:
>>>>>
>>>>> By crafting a special URL it is possible to make Wicket deliver
>>>>> unprocessed HTML templates.
>>>>> This would allow an attacker to see possibly sensitive information
>>>>> inside a HTML template that is usually removed during rendering.
>>>>> For example if there are credentials in the markup which are never
>>>>> supposed to be visible to the client:
>>>>>
>>>>> <wicket:remove>
>>>>> some secret
>>>>> </wicket:remove>
>>>>>
>>>>> The application developers are recommended to upgrade to:
>>>>> - Apache Wicket 7.17.0
>>>>> <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
>>>>> - Apache Wicket 8.9.0
>>>>> <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
>>>>> - Apache Wicket 9.0.0
>>>>> <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
>>>>>
>>>>> Credit:
>>>>> The vulnerability has been found and reported by Mariusz Popławski from
>>>>> Afine.
>>>>>
>>>>> Apache Wicket Team
>>>>>
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Chris Colman <ch...@stepaheadsoftware.com.INVALID>.
Hi Daniel,
On 11/08/2022 7:45 pm, Daniel Stoch wrote:
> We have a plan to upgrade (at last ;))
Yeehah!
> Wicket to a newer version (9.x), but
> it is not quite easy for a big application
Our app has 1034 Wicket UI classes - that's just pure Wicket UI classes
- don't ask about the number of classes in the business layer/domain
model ;)
> and unfortunately we have to
> patch Wicket code by ourselves to fix issues described in WICKET-5588
> (including JavaScript: if this code have many changes between 6.x and 9.x
> it can be quite hard to do it).
> It would be much easier to upgrade if this problem was fixed in the
> standard version of Wicket.
I think jumping from 6 -> 9 directly might be a bit too adventurous -
you have to consider all framework changes across 7, 8 and 9.
That's why we decided to migrate one step at a time: "single stepping"
from 6->7 (done) then 7->8 then 8->9.
The good thing about 6->7->8 is that you can stick with Java 8 and so
not have to be concerned with in any issues that changing your Java
version may bring (assuming you're currently using 1.8)
>
> --
> Best regards,
> Daniel Stoch
>
>
>
> czw., 11 sie 2022 o 10:06 Martin Grigorov <mg...@apache.org> napisał(a):
>
>> Hi,
>>
>> Wicket 6.x is no more supported.
>> Wicket 7.x is the current security maintaince branch.
>>
>> Your options are:
>> - patch locally
>> - upgrade to a newer version
>>
>> On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <da...@gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Is there any JIRA issue for this? I tried to find but none issue in
>> Wicket
>>> JIRA points directly to CVE-2020-11976.
>>> One possible candidate to me is WICKET-6792 :). Am I right? If yes, this
>> is
>>> already fixed also for Wicket 6.31.0, can you release this version?
>>>
>>> --
>>> Best regards,
>>> Daniel Stoch
>>>
>>>
>>> pon., 10 sie 2020 o 18:23 <sv...@apache.org> napisał(a):
>>>
>>>> Severity: Important
>>>>
>>>> Vendor:
>>>> The Apache Software Foundation
>>>>
>>>> Versions Affected:
>>>> Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
>>>>
>>>> Description:
>>>>
>>>> By crafting a special URL it is possible to make Wicket deliver
>>>> unprocessed HTML templates.
>>>> This would allow an attacker to see possibly sensitive information
>>>> inside a HTML template that is usually removed during rendering.
>>>> For example if there are credentials in the markup which are never
>>>> supposed to be visible to the client:
>>>>
>>>> <wicket:remove>
>>>> some secret
>>>> </wicket:remove>
>>>>
>>>> The application developers are recommended to upgrade to:
>>>> - Apache Wicket 7.17.0
>>>> <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
>>>> - Apache Wicket 8.9.0
>>>> <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
>>>> - Apache Wicket 9.0.0
>>>> <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
>>>>
>>>> Credit:
>>>> The vulnerability has been found and reported by Mariusz Popławski from
>>>> Afine.
>>>>
>>>> Apache Wicket Team
>>>>
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Chris Colman <ch...@stepaheadsoftware.com.INVALID>.
Hi Daniel,
In regard to migrating from 6.x to 7.x if this helps...
We migrated a MASSIVE Website creation app/CMS plus a generic web app
development platform, all built on Wicket 6, to Wicket 7 in a
surprisingly quick time.
For a long time (years) we had feared the Wicket 6->7 migration so kept
putting it off as we expected it might take weeks but in the end it only
took a couple of days!
We were pleasantly surprised. Java being a statically typed language
really helps you find most of the issues via compilation but there are a
few issues you will need to look out for as detailed in the migration
notes - but we didn't find these a major burden to locate and resolve.
Wicket 7 even fixed an issue in our app that we had been trying to fix
in 6.x that we thought was a problem in our code but might have well
been a 6.x glitch because it started working fine once we ported to
Wicket 7.x!
Hope that helps :)
Regards,
Chris
On 11/08/2022 6:05 pm, Martin Grigorov wrote:
> Hi,
>
> Wicket 6.x is no more supported.
> Wicket 7.x is the current security maintaince branch.
>
> Your options are:
> - patch locally
> - upgrade to a newer version
>
> On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch<da...@gmail.com> wrote:
>
>> Hi,
>>
>> Is there any JIRA issue for this? I tried to find but none issue in Wicket
>> JIRA points directly to CVE-2020-11976.
>> One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is
>> already fixed also for Wicket 6.31.0, can you release this version?
>>
>> --
>> Best regards,
>> Daniel Stoch
>>
>>
>> pon., 10 sie 2020 o 18:23<sv...@apache.org> napisał(a):
>>
>>> Severity: Important
>>>
>>> Vendor:
>>> The Apache Software Foundation
>>>
>>> Versions Affected:
>>> Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
>>>
>>> Description:
>>>
>>> By crafting a special URL it is possible to make Wicket deliver
>>> unprocessed HTML templates.
>>> This would allow an attacker to see possibly sensitive information
>>> inside a HTML template that is usually removed during rendering.
>>> For example if there are credentials in the markup which are never
>>> supposed to be visible to the client:
>>>
>>> <wicket:remove>
>>> some secret
>>> </wicket:remove>
>>>
>>> The application developers are recommended to upgrade to:
>>> - Apache Wicket 7.17.0
>>> <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
>>> - Apache Wicket 8.9.0
>>> <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
>>> - Apache Wicket 9.0.0
>>> <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
>>>
>>> Credit:
>>> The vulnerability has been found and reported by Mariusz Popławski from
>>> Afine.
>>>
>>> Apache Wicket Team
>>>
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Daniel Stoch <da...@gmail.com>.
Hi,
First thing: I still don't know which JIRA issue fixes CVE-2020-11976
vulnerability, is it WICKET-6792 or not? I can see 6.31.0 version in JIRA
with this issue fixed, so because of that I have asked about releasing this
version of Wicket. I thought that Wicket 6.x still receives security fixes,
if not we can patch it ourselves (but we need to know what was fixed) or
perform an upgrade (see below).
We have a plan to upgrade (at last ;)) Wicket to a newer version (9.x), but
it is not quite easy for a big application and unfortunately we have to
patch Wicket code by ourselves to fix issues described in WICKET-5588
(including JavaScript: if this code have many changes between 6.x and 9.x
it can be quite hard to do it).
It would be much easier to upgrade if this problem was fixed in the
standard version of Wicket.
--
Best regards,
Daniel Stoch
czw., 11 sie 2022 o 10:06 Martin Grigorov <mg...@apache.org> napisał(a):
> Hi,
>
> Wicket 6.x is no more supported.
> Wicket 7.x is the current security maintaince branch.
>
> Your options are:
> - patch locally
> - upgrade to a newer version
>
> On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <da...@gmail.com>
> wrote:
>
> > Hi,
> >
> > Is there any JIRA issue for this? I tried to find but none issue in
> Wicket
> > JIRA points directly to CVE-2020-11976.
> > One possible candidate to me is WICKET-6792 :). Am I right? If yes, this
> is
> > already fixed also for Wicket 6.31.0, can you release this version?
> >
> > --
> > Best regards,
> > Daniel Stoch
> >
> >
> > pon., 10 sie 2020 o 18:23 <sv...@apache.org> napisał(a):
> >
> > > Severity: Important
> > >
> > > Vendor:
> > > The Apache Software Foundation
> > >
> > > Versions Affected:
> > > Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
> > >
> > > Description:
> > >
> > > By crafting a special URL it is possible to make Wicket deliver
> > > unprocessed HTML templates.
> > > This would allow an attacker to see possibly sensitive information
> > > inside a HTML template that is usually removed during rendering.
> > > For example if there are credentials in the markup which are never
> > > supposed to be visible to the client:
> > >
> > > <wicket:remove>
> > > some secret
> > > </wicket:remove>
> > >
> > > The application developers are recommended to upgrade to:
> > > - Apache Wicket 7.17.0
> > > <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
> > > - Apache Wicket 8.9.0
> > > <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
> > > - Apache Wicket 9.0.0
> > > <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
> > >
> > > Credit:
> > > The vulnerability has been found and reported by Mariusz Popławski from
> > > Afine.
> > >
> > > Apache Wicket Team
> > >
> >
>
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
Wicket 6.x is no more supported.
Wicket 7.x is the current security maintaince branch.
Your options are:
- patch locally
- upgrade to a newer version
On Wed, Aug 10, 2022 at 6:17 PM Daniel Stoch <da...@gmail.com> wrote:
> Hi,
>
> Is there any JIRA issue for this? I tried to find but none issue in Wicket
> JIRA points directly to CVE-2020-11976.
> One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is
> already fixed also for Wicket 6.31.0, can you release this version?
>
> --
> Best regards,
> Daniel Stoch
>
>
> pon., 10 sie 2020 o 18:23 <sv...@apache.org> napisał(a):
>
> > Severity: Important
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
> >
> > Description:
> >
> > By crafting a special URL it is possible to make Wicket deliver
> > unprocessed HTML templates.
> > This would allow an attacker to see possibly sensitive information
> > inside a HTML template that is usually removed during rendering.
> > For example if there are credentials in the markup which are never
> > supposed to be visible to the client:
> >
> > <wicket:remove>
> > some secret
> > </wicket:remove>
> >
> > The application developers are recommended to upgrade to:
> > - Apache Wicket 7.17.0
> > <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
> > - Apache Wicket 8.9.0
> > <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
> > - Apache Wicket 9.0.0
> > <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
> >
> > Credit:
> > The vulnerability has been found and reported by Mariusz Popławski from
> > Afine.
> >
> > Apache Wicket Team
> >
>
Re: [CVE-2020-11976] Apache Wicket information disclosure vulnerability
Posted by Daniel Stoch <da...@gmail.com>.
Hi,
Is there any JIRA issue for this? I tried to find but none issue in Wicket
JIRA points directly to CVE-2020-11976.
One possible candidate to me is WICKET-6792 :). Am I right? If yes, this is
already fixed also for Wicket 6.31.0, can you release this version?
--
Best regards,
Daniel Stoch
pon., 10 sie 2020 o 18:23 <sv...@apache.org> napisał(a):
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5
>
> Description:
>
> By crafting a special URL it is possible to make Wicket deliver
> unprocessed HTML templates.
> This would allow an attacker to see possibly sensitive information
> inside a HTML template that is usually removed during rendering.
> For example if there are credentials in the markup which are never
> supposed to be visible to the client:
>
> <wicket:remove>
> some secret
> </wicket:remove>
>
> The application developers are recommended to upgrade to:
> - Apache Wicket 7.17.0
> <http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
> - Apache Wicket 8.9.0
> <http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
> - Apache Wicket 9.0.0
> <http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>
>
> Credit:
> The vulnerability has been found and reported by Mariusz Popławski from
> Afine.
>
> Apache Wicket Team
>