Hi,
Thank you for the first answer of this issue. I have also a question
about https://github.com/MarcGiffing/wicket-spring-boot and a upgrade of
spring-beans or spring in general. Do you have good idea upgrade spring
to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot?
I'll thankful for any hints :)
Background:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
Greets
Daniel
Am 01.04.2022 um 20:17 schrieb Martin Grigorov:
Hi,
I don't think a normal Wicket application is vulnerable to this attack.
But I recommend you to update Spring in your applications anyway.
On Fri, Apr 1, 2022, 10:21 kyrindorx<kyrind...@gmail.com> wrote:
Hello everyone,
The internet developer community found a bug in
spring-beans/spring-webmvc on 03/30/2022. I would like to know to what
extent Wicket could be affected for this exploit? I think it should be a
specific behavior with Spring and the servlet engine (Tomcat was used in
the exploit), but Wicket is also a servlet-driven web framework.
The exploit used a code injection block with "<% bad java code/cmds %>"
and a beanintrospeaction via a rest service call. What is the opinion of
the Wicket core team on this issue?
Thanks in advance
Daniel
Sources:
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
(informed by github)
https://tanzu.vmware.com/security/cve-2022-22965
https://github.com/tweedge/springcore-0day-en