Bug 2270332 (CVE-2024-27439)

Summary: CVE-2024-27439 apache-wicket: Possible bypass of CSRF protection
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, gmalinko, ivassile, iweiss, janstey, lgao, mosmerov, msochure, mstefank, msvehla, nwallace, pdelbell, pjindal, pmackay, rjohnson, rstancel, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apache-wicket 10.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Wicket. Under certain circumstances, this flaw allows an attacker to bypass Cross-Site Request Forgery (CSRF) protections.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2270333    

Description Marco Benatto 2024-03-19 17:16:57 UTC 
An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.
This issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.
Apache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.

Users are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue.

https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo