Hello everyone,

The internet developer community found a bug in spring-beans/spring-webmvc on 03/30/2022. I would like to know to what extent Wicket could be affected for this exploit? I think it should be a specific behavior with Spring and the servlet engine (Tomcat was used in the exploit), but Wicket is also a servlet-driven web framework.

The exploit used a code injection block with "<% bad java code/cmds %>" and a beanintrospeaction via a rest service call. What is the opinion of the Wicket core team on this issue?

Thanks in advance
Daniel


Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 (informed by github)
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en

Reply via email to