CVE-2024-27439

Name of the Vulnerable Software and Affected Versions Apache Wicket versions 9.1.0 through 9.16.0 Apache Wicket milestone releases for the 10.0 series

Description The issue is related to a bypass of the CSRF protection in Apache Wicket due to an error in the evaluation of the fetch metadata headers. This could allow a remote attacker to perform a CSRF attack using a specially crafted web page. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Apache Wicket versions 9.1.0 through 9.16.0, upgrade to version 9.17.0. For Apache Wicket milestone releases for the 10.0 series, upgrade to version 10.0.0. As a temporary workaround, consider restricting access to sensitive operations that rely on CSRF protection until a patch is applied.