CVE-2024-27439

{"id": "CVE-2024-27439", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2024-03-19T11:15:06.537", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/19/2", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-444"}]}], "descriptions": [{"lang": "en", "value": "An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."}, {"lang": "es", "value": "Un error en la evaluaci\u00f3n de los encabezados de metadatos de recuperaci\u00f3n podr\u00eda permitir eludir la protecci\u00f3n CSRF en Apache Wicket. Este problema afecta a Apache Wicket: desde 9.1.0 hasta 9.16.0 y los lanzamientos importantes para la serie 10.0. Apache Wicket 8.x no admite la protecci\u00f3n CSRF a trav\u00e9s de los encabezados de metadatos de recuperaci\u00f3n y, como tal, no se ve afectado. Se recomienda a los usuarios actualizar a la versi\u00f3n 9.17.0 o 10.0.0, que soluciona el problema."}], "lastModified": "2025-06-27T14:43:53.587", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26BA1B22-867F-4638-B682-97D916E23EF6", "versionEndExcluding": "9.17.0", "versionStartIncluding": "9.1.0"}, {"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9365B852-58AE-46B0-8EA5-41AB42E3BC40"}, {"criteria": "cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFEF17BD-48F1-4CAF-A195-45EE63001E12"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}