CVE-2024-36522: Apache Wicket Vulnerability Opens Door to Remote Code Execution
The Apache Software Foundation has issued a security advisory regarding a vulnerability (CVE-2024-36522) impacting Apache Wicket, a widely used Java web application framework. The vulnerability, stemming from improper input validation in the XSLTResourceStream.java component, enables attackers to remotely execute arbitrary code on affected systems.
Apache Wicket is renowned for its clean separation of markup and logic, utilizing Plain Old Java Objects (POJOs) and eschewing cumbersome XML configurations. This framework has been a favorite among developers for its powerful, reusable components that streamline web application development, making it both enjoyable and efficient.
The vulnerability arises from a lack of input validation when processing XSLT (Extensible Stylesheet Language Transformations) input. By injecting malicious XSLT code, an attacker can manipulate the application’s behavior, leading to code execution within the context of the vulnerable system.
Any organization or individual utilizing vulnerable versions of Apache Wicket is at immediate risk. This includes:
- Apache Wicket versions 10.0.0-M1 to 10.0.0
- Apache Wicket versions 9.0.0 to 9.17.0
- Apache Wicket versions 8.0.0 to 8.15.0
The Apache Wicket team has responded promptly to this issue by releasing patched versions of the framework. Users are strongly advised to upgrade to the following versions to mitigate the risk associated with CVE-2024-36522:
These versions contain a fix for the XSLT injection vulnerability, preventing exploitation and mitigating the risk of remote code execution.
