Hello everyone,
The internet developer community found a bug in
spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
extent Wicket could be affected for this exploit? I think it should be a
specific behavior with Spring and the servlet engine (Tomcat was used in
the exploit), but Wicket is also a servlet-driven web framework.
The exploit used a code injection block with "<% bad java code/cmds %>"
and a beanintrospeaction via a rest service call. What is the opinion of
the Wicket core team on this issue?
Thanks in advance
Daniel
Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
(informed by github)
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en