Lucene search

GoogleOSV:GHSA-HHWC-GH8H-9RRP

HistoryJul 12, 2024 - 3:31 p.m.

Apache Wicket: Remote code execution via XSLT injection

2024-07-1215:31:26

Google

osv.dev

apache wicket

xslt injection

remote code execution

upgrade

validation

security issue

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.3%

JSON

The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.

References

www.openwall.com/lists/oss-security/2024/07/12/2

github.com/apache/wicket

lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc

nvd.nist.gov/vuln/detail/CVE-2024-36522

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.3%

JSON

Related for OSV:GHSA-HHWC-GH8H-9RRP