Hi, I don't think a normal Wicket application is vulnerable to this attack. But I recommend you to update Spring in your applications anyway.
On Fri, Apr 1, 2022, 10:21 kyrindorx <kyrind...@gmail.com> wrote: > Hello everyone, > > The internet developer community found a bug in > spring-beans/spring-webmvc on 03/30/2022. I would like to know to what > extent Wicket could be affected for this exploit? I think it should be a > specific behavior with Spring and the servlet engine (Tomcat was used in > the exploit), but Wicket is also a servlet-driven web framework. > > The exploit used a code injection block with "<% bad java code/cmds %>" > and a beanintrospeaction via a rest service call. What is the opinion of > the Wicket core team on this issue? > > Thanks in advance > Daniel > > > Sources: > https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 > (informed by github) > https://tanzu.vmware.com/security/cve-2022-22965 > https://github.com/tweedge/springcore-0day-en
