CVE-2014-7808: Weak Encryption
First published: Fri Sep 15 2017(Updated: )
Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Wicket | >=1.5.0<1.5.13 | |
| Apache Wicket | >=6.0.0<6.19.0 | |
| Apache Wicket | =7.0.0-milestone1 | |
| Apache Wicket | =7.0.0-milestone2 | |
| Apache Wicket | =7.0.0-milestone3 | |
| Apache Wicket | =7.0.0-milestone4 | |
| Apache Wicket | =7.0.0-milestone5 | |
| maven/org.apache.wicket:wicket-core | >=7.0.0-M1<7.0.0-M5 | 7.0.0-M5 |
| maven/org.apache.wicket:wicket-core | >=6.0.0-beta1<6.19.0 | 6.19.0 |
| maven/org.apache.wicket:wicket-core | <1.5.13 | 1.5.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw@mail.gmail.com%3E
- https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html
- http://mail-archives.apache.org/mod_mbox/wicket-users/201502.mbox/%3CCAMomwMpLPDYezc=iFofm1R1Uq37vUFJ8VC-_ex5SU8-HAKBoRw%40mail.gmail.com%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-7808
- https://github.com/apache/wicket/commit/d2b8848346b8f806e747dca18799d70c37fc893f
- https://lists.apache.org/thread/rqy6lpo5mzco85cbf65r53vdh87gz77b
- https://web.archive.org/web/20180830051017/https://www.smrrd.de/cve-2014-7808-apache-wicket-csrf-2014.html
- https://github.com/advisories/GHSA-vfmm-jm4v-7frq (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-7808?
CVE-2014-7808 has a moderate severity rating due to its impact on the cryptographic protection mechanisms in Apache Wicket.
How do I fix CVE-2014-7808?
To fix CVE-2014-7808, upgrade to Apache Wicket version 1.5.13, 6.19.0, or 7.0.0-M5 or later.
What are the affected versions of Apache Wicket for CVE-2014-7808?
CVE-2014-7808 affects Apache Wicket versions prior to 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5.
What type of vulnerability is CVE-2014-7808?
CVE-2014-7808 is a cryptographic vulnerability that allows attackers to predict encrypted URLs.
Who is impacted by CVE-2014-7808?
Developers and users of Apache Wicket versions prior to the patched releases are impacted by CVE-2014-7808.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/first-publish-date
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vfmm-jm4v-7frq
- alias/CVE-2014-7808
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/source
- agent/tags
- collector/github-advisory
- vendor/apache
- canonical/apache wicket
- version/apache wicket/1.5.0
- version/apache wicket/6.0.0
- version/apache wicket/7.0.0-milestone1
- version/apache wicket/7.0.0-milestone2
- version/apache wicket/7.0.0-milestone3
- version/apache wicket/7.0.0-milestone4
- version/apache wicket/7.0.0-milestone5
- package-manager/maven