On Tue, Apr 5, 2022, 13:18 kyrindorx <kyrind...@gmail.com> wrote: > Hi, > > Thank you for the first answer of this issue. I have also a question > about https://github.com/MarcGiffing/wicket-spring-boot and a upgrade of > spring-beans or spring in general. Do you have good idea upgrade spring > to version 5.2.20, 5.3.18 without an impact with wicket-spring-boot? > I'll thankful for any hints :) >
Just update/overwrite the Spring version in your pom.xml and all should be fine! > Background: > > https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 > > > Greets > Daniel > > > Am 01.04.2022 um 20:17 schrieb Martin Grigorov: > > Hi, > > > > I don't think a normal Wicket application is vulnerable to this attack. > > But I recommend you to update Spring in your applications anyway. > > > > On Fri, Apr 1, 2022, 10:21 kyrindorx<kyrind...@gmail.com> wrote: > > > >> Hello everyone, > >> > >> The internet developer community found a bug in > >> spring-beans/spring-webmvc on 03/30/2022. I would like to know to what > >> extent Wicket could be affected for this exploit? I think it should be a > >> specific behavior with Spring and the servlet engine (Tomcat was used in > >> the exploit), but Wicket is also a servlet-driven web framework. > >> > >> The exploit used a code injection block with "<% bad java code/cmds %>" > >> and a beanintrospeaction via a rest service call. What is the opinion of > >> the Wicket core team on this issue? > >> > >> Thanks in advance > >> Daniel > >> > >> > >> Sources: > >> https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 > >> (informed by github) > >> https://tanzu.vmware.com/security/cve-2022-22965 > >> https://github.com/tweedge/springcore-0day-en
