Description
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.
Remediation
References
https://lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d%401392986987%40%3Cannounce.wicket.apache.org%3E
Related Vulnerabilities
CVE-2019-10083 Vulnerability in maven package org.apache.nifi:nifi-nar-bundles
CVE-2021-32731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2017-5649 Vulnerability in maven package org.apache.geode:geode-pulse
CVE-2021-28164 Vulnerability in maven package org.eclipse.jetty:jetty-webapp
CVE-2018-1000402 Vulnerability in maven package org.jenkins-ci.plugins:codedeploy