CVE-2016-6806

EPSS 0.17%
Veröffentlicht 03.10.2017 01:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Wicket Version6.20.0

Apache ≫ Wicket Version6.21.0

Apache ≫ Wicket Version6.22.0

Apache ≫ Wicket Version6.23.0

Apache ≫ Wicket Version6.24.0

Apache ≫ Wicket Version7.0.0

Apache ≫ Wicket Version7.1.0

Apache ≫ Wicket Version7.2.0

Apache ≫ Wicket Version7.3.0

Apache ≫ Wicket Version7.4.0

Apache ≫ Wicket Version8.0.0 Updatem1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.17%	0.382

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd%40%3Cannounce.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2016-6806

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-6806

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-6806

EUVD