What is the severity of CVE-2021-23937?

CVE-2021-23937 is considered to have a medium severity due to its potential for exploitation through DNS amplification attacks.

How do I fix CVE-2021-23937?

To fix CVE-2021-23937, upgrade Apache Wicket to versions 7.18.0, 8.12.0, or 9.3.0 or higher.

What versions of Apache Wicket are affected by CVE-2021-23937?

CVE-2021-23937 affects Apache Wicket versions prior to 7.18.0, 8.12.0, and 9.3.0.

Can CVE-2021-23937 be exploited without access to the internal network?

Yes, CVE-2021-23937 can be exploited remotely if the application is configured to trust the X-Forwarded-For header without proper validation.

What are the potential impacts of CVE-2021-23937?

The potential impacts of CVE-2021-23937 include increased load on the internal DNS server and possible service disruption.

Vulnerability/
CVE-2021-23937

high

7.5

CWE

20 200

25/5/2021

24/5/2022

3/8/2024

CVE-2021-23937: DNS proxy and possible amplification attack

First published: Tue May 25 2021(Updated: 8 months ago)

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.wicket:wicket-core	<7.18.0	7.18.0
maven/org.apache.wicket:wicket-core	>=8.0.0<8.12.0	8.12.0
maven/org.apache.wicket:wicket-core	>=9.0.0<9.3.0	9.3.0
Apache Wicket	>=6.0.0<=6.2.0
Apache Wicket	>=7.0.0<=7.17.0
Apache Wicket	>=8.0.0<=8.11.0
Apache Wicket	>=9.0.0<=9.2.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-23937?
CVE-2021-23937 is considered to have a medium severity due to its potential for exploitation through DNS amplification attacks.
How do I fix CVE-2021-23937?
To fix CVE-2021-23937, upgrade Apache Wicket to versions 7.18.0, 8.12.0, or 9.3.0 or higher.
What versions of Apache Wicket are affected by CVE-2021-23937?
CVE-2021-23937 affects Apache Wicket versions prior to 7.18.0, 8.12.0, and 9.3.0.
Can CVE-2021-23937 be exploited without access to the internal network?
Yes, CVE-2021-23937 can be exploited remotely if the application is configured to trust the X-Forwarded-For header without proper validation.
What are the potential impacts of CVE-2021-23937?
The potential impacts of CVE-2021-23937 include increased load on the internal DNS server and possible service disruption.

collector/github-advisory-latest
alias/GHSA-hmhg-95wh-r699
alias/CVE-2021-23937
collector/github-advisory
collector/nvd-api
collector/nvd-index
collector/nvd-cve
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/title
agent/references
agent/weakness
agent/last-modified-date
agent/author
agent/description
agent/event
agent/first-publish-date
agent/trending
agent/tags
agent/source
package-manager/maven
vendor/apache
canonical/apache wicket
version/apache wicket/6.0.0
version/apache wicket/6.2.0
version/apache wicket/7.0.0
version/apache wicket/7.17.0
version/apache wicket/8.0.0
version/apache wicket/8.11.0
version/apache wicket/9.0.0
version/apache wicket/9.2.0