CVE-2016-6806

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2016-6806
Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:7.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:8.0.0:m1:*:*:*:*:*:*
History

07 Nov 2023, 02:34

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E', 'name': '[wicket-announce] 20161108 CVE-2016-6806: Apache Wicket CSRF detection vulnerability', 'tags': ['Mailing List', 'Vendor Advisory'], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E -
Information

Published : 2017-10-03 01:29

Updated : 2023-12-10 12:15

NVD link : CVE-2016-6806

Mitre link : CVE-2016-6806

CVE.ORG link : CVE-2016-6806

JSON object : View

Products Affected

apache

  • wicket
CWE
CWE-352

Cross-Site Request Forgery (CSRF)