ID CVE-2016-6793
Summary The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:1.5.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:1.5.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0-beta1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0-beta1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0-beta2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0-beta2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.0.0-beta3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.0.0-beta3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.11.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.11.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.12.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.12.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.13.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.14.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.14.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.15.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.15.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.16.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.16.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.17.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.17.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.18.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.18.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.19.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.19.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.20.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.21.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.22.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.23.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:wicket:6.24.0:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 06-05-2019 - 19:15)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:P/A:P
refmap via4
bid 95168
bugtraq 20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability
confirm https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html
misc https://www.tenable.com/security/research/tra-2016-23
mlist [oss-security] 20161231 Fwd: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability
sectrack 1037541
Last major update 06-05-2019 - 19:15
Published 17-07-2017 - 13:18
Last modified 06-05-2019 - 19:15
Back to Top