CVE-2021-23937

Name of the Vulnerable Software and Affected Versions: Apache Wicket versions 9.2.0 and prior Apache Wicket versions 8.11.0 and prior Apache Wicket versions 7.17.0 and prior Apache Wicket versions 6.2.0 and later

Description: A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application, causing a possible denial of service on either the internal infrastructure or the web application itself.

Recommendations: For Apache Wicket versions 9.2.0 and prior, update to a version later than 9.2.0 to resolve the issue. For Apache Wicket versions 8.11.0 and prior, update to a version later than 8.11.0 to resolve the issue. For Apache Wicket versions 7.17.0 and prior, update to a version later than 7.17.0 to resolve the issue. For Apache Wicket versions 6.2.0 and later, consider disabling the WebClientInfo component until a patch is available.