{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-02T20:53:35.769","vulnerabilities":[{"cve":{"id":"CVE-2024-27439","sourceIdentifier":"security@apache.org","published":"2024-03-19T11:15:06.537","lastModified":"2025-06-27T14:43:53.587","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"An error in the evaluation of the fetch metadata headers could allow a bypass of the CSRF protection in Apache Wicket.\nThis issue affects Apache Wicket: from 9.1.0 through 9.16.0, and the milestone releases for the 10.0 series.\nApache Wicket 8.x does not support CSRF protection via the fetch metadata headers and as such is not affected.\n\nUsers are recommended to upgrade to version 9.17.0 or 10.0.0, which fixes the issue."},{"lang":"es","value":"Un error en la evaluación de los encabezados de metadatos de recuperación podría permitir eludir la protección CSRF en Apache Wicket. Este problema afecta a Apache Wicket: desde 9.1.0 hasta 9.16.0 y los lanzamientos importantes para la serie 10.0. Apache Wicket 8.x no admite la protección CSRF a través de los encabezados de metadatos de recuperación y, como tal, no se ve afectado. Se recomienda a los usuarios actualizar a la versión 9.17.0 o 10.0.0, que soluciona el problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-352"},{"lang":"en","value":"CWE-444"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*","versionStartIncluding":"9.1.0","versionEndExcluding":"9.17.0","matchCriteriaId":"26BA1B22-867F-4638-B682-97D916E23EF6"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:wicket:10.0.0:milestone1:*:*:*:*:*:*","matchCriteriaId":"9365B852-58AE-46B0-8EA5-41AB42E3BC40"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:wicket:10.0.0:milestone2:*:*:*:*:*:*","matchCriteriaId":"AFEF17BD-48F1-4CAF-A195-45EE63001E12"}]}]}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2024/03/19/2","source":"security@apache.org","tags":["Mailing List"]},{"url":"https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2024/03/19/2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]},{"url":"https://lists.apache.org/thread/o825rvjjtmz3qv21ps5k7m2w9193g1lo","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]}]}}]}