CVE-2021-23937: DNS proxy and possible amplification attack
First published: Tue May 25 2021(Updated: )
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.wicket:wicket-core | <7.18.0 | 7.18.0 |
| maven/org.apache.wicket:wicket-core | >=8.0.0<8.12.0 | 8.12.0 |
| maven/org.apache.wicket:wicket-core | >=9.0.0<9.3.0 | 9.3.0 |
| Apache Wicket | >=6.0.0<=6.2.0 | |
| Apache Wicket | >=7.0.0<=7.17.0 | |
| Apache Wicket | >=8.0.0<=8.11.0 | |
| Apache Wicket | >=9.0.0<=9.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-23937
- https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E
- https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cusers.wicket.apache.org%3E
- https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78@%3Cdev.wicket.apache.org%3E
- https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E
- https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d@%3Cusers.wicket.apache.org%3E
- https://lists.apache.org/thread.html/rce158bb896c9ef812393a11646fdef7b9023833e54854c4302ff7b70@%3Cdev.wicket.apache.org%3E
- https://lists.apache.org/thread.html/rce23bba1e11368f9f4cccce0e9b02b88dcdac4e4b2304e66bd098cf5@%3Cannounce.wicket.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/05/25/2
- https://github.com/apache/wicket/commit/84f62a5cff462eaa3bfaf171b0638c7e7feea30d
- https://github.com/advisories/GHSA-hmhg-95wh-r699 (Advisory)
- https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E
- https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E
- https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E
- collector/github-advisory-latest
- alias/GHSA-hmhg-95wh-r699
- alias/CVE-2021-23937
- collector/github-advisory
- collector/nvd-api
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/trending
- agent/tags
- agent/source
- package-manager/maven
- vendor/apache
- canonical/apache wicket
- version/apache wicket/6.0.0
- version/apache wicket/6.2.0
- version/apache wicket/7.0.0
- version/apache wicket/7.17.0
- version/apache wicket/8.0.0
- version/apache wicket/8.11.0
- version/apache wicket/9.0.0
- version/apache wicket/9.2.0