====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN442
_____________________________________________________________________

DATE                : 12/08/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Wicket versions prior to
                                  7.17.0, 8.9.0, 9.0.0.

=====================================================================
https://lists.apache.org/thread.html/r104eeefeb1e9da51f7ef79cef0f9ff12e21ef8559b77801e86b21e16%40%3Cusers.wicket.apache.org%3E
_____________________________________________________________________

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 7.16.0, 8.8.0 and 9.0.0-M5

Description:

By crafting a special URL it is possible to make Wicket deliver
unprocessed HTML templates. This would allow an attacker to see possibly
sensitive information inside a HTML template that is usually removed
during rendering. For example if there are credentials in the markup
which are never supposed to be visible to the client:


  <wicket:remove>
     some secret
  </wicket:remove>

The application developers are recommended to upgrade to:
- Apache Wicket 7.17.0
<http://wicket.apache.org/news/2020/07/20/wicket-7.17.0-released.html>
- Apache Wicket 8.9.0
<http://wicket.apache.org/news/2020/07/15/wicket-8.9.0-released.html>
- Apache Wicket 9.0.0
<http://wicket.apache.org/news/2020/07/15/wicket-9-released.html>

Credit:

The vulnerability has been found and reported by Mariusz Popławski from
Afine.


Apache Wicket Team



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================