CVE-2021-23937 is a vulnerability in Apache Wicket
Published on May 25, 2021
DNS proxy and possible amplification attack
A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.
Products Associated with CVE-2021-23937
Want to know whenever a new CVE is published for Apache Wicket? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Wicket:- Version Apache Wicket 9.x, <= 9.2.0 is affected.
- Version Apache Wicket 8.x, <= 8.11.0 is affected.
- Version Apache Wicket 7.x, <= 7.17.0 is affected.
- Version 6.2.0 and below Apache Wicket 6.x* is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.