CVE-2021-23937

Description

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

How to fix CVE-2021-23937

To remediate CVE-2021-23937, upgrade the affected package to a fixed version below.

• —upgrade to 9.3.0 or later

Is CVE-2021-23937 being exploited?

Moderate — EPSS is 5.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• >= 9.0.0, < 9.3.0

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23937
• PATCHgithub.com/apache/wicket
• WEBgithub.com/apache/wicket/commit/84f62a5cff462eaa3bfaf171b0638c7e7feea30d
• WEBlists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e@%3Cannounce.wicket.apache.org%3E