CVE-2016-6793

The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*

History

21 Nov 2024, 02:56

Type Values Removed Values Added
References () http://www.openwall.com/lists/oss-security/2016/12/31/1 - Mailing List, Third Party Advisory () http://www.openwall.com/lists/oss-security/2016/12/31/1 - Mailing List, Third Party Advisory
References () http://www.securityfocus.com/archive/1/539975/100/0/threaded - Mailing List, Third Party Advisory, VDB Entry () http://www.securityfocus.com/archive/1/539975/100/0/threaded - Mailing List, Third Party Advisory, VDB Entry
References () http://www.securityfocus.com/bid/95168 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/95168 - Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1037541 - Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1037541 - Third Party Advisory, VDB Entry
References () https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html - Vendor Advisory () https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html - Vendor Advisory
References () https://www.tenable.com/security/research/tra-2016-23 - Third Party Advisory () https://www.tenable.com/security/research/tra-2016-23 - Third Party Advisory

Information

Published : 2017-07-17 13:18

Updated : 2024-11-21 02:56


NVD link : CVE-2016-6793

Mitre link : CVE-2016-6793

CVE.ORG link : CVE-2016-6793


JSON object : View

Products Affected

apache

  • wicket
CWE
CWE-502

Deserialization of Untrusted Data