Vulnerability Details CVE-2016-6793
The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.048
EPSS Ranking 89.1%
CVSS Severity
CVSS v3 Score 9.1
CVSS v2 Score 6.4
References
- http://www.openwall.com/lists/oss-security/2016/12/31/1
- http://www.securityfocus.com/archive/1/539975/100/0/threaded
- http://www.securityfocus.com/bid/95168
- http://www.securitytracker.com/id/1037541
- https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html
- https://www.tenable.com/security/research/tra-2016-23
- http://www.openwall.com/lists/oss-security/2016/12/31/1
- http://www.securityfocus.com/archive/1/539975/100/0/threaded
- http://www.securityfocus.com/bid/95168
- http://www.securitytracker.com/id/1037541
- https://wicket.apache.org/news/2016/12/31/cve-2016-6793.html
- https://www.tenable.com/security/research/tra-2016-23
Products affected by CVE-2016-6793
-
cpe:2.3:a:apache:wicket:1.5.0
-
cpe:2.3:a:apache:wicket:1.5.1
-
cpe:2.3:a:apache:wicket:1.5.10
-
cpe:2.3:a:apache:wicket:1.5.11
-
cpe:2.3:a:apache:wicket:1.5.12
-
cpe:2.3:a:apache:wicket:1.5.13
-
cpe:2.3:a:apache:wicket:1.5.14
-
cpe:2.3:a:apache:wicket:1.5.15
-
cpe:2.3:a:apache:wicket:1.5.16
-
cpe:2.3:a:apache:wicket:1.5.2
-
cpe:2.3:a:apache:wicket:1.5.3
-
cpe:2.3:a:apache:wicket:1.5.4
-
cpe:2.3:a:apache:wicket:1.5.4.1
-
cpe:2.3:a:apache:wicket:1.5.5
-
cpe:2.3:a:apache:wicket:1.5.6
-
cpe:2.3:a:apache:wicket:1.5.7
-
cpe:2.3:a:apache:wicket:1.5.8
-
cpe:2.3:a:apache:wicket:1.5.9
-
cpe:2.3:a:apache:wicket:6.0.0
-
cpe:2.3:a:apache:wicket:6.0.0-beta1
-
cpe:2.3:a:apache:wicket:6.0.0-beta2
-
cpe:2.3:a:apache:wicket:6.0.0-beta3
-
cpe:2.3:a:apache:wicket:6.1.0
-
cpe:2.3:a:apache:wicket:6.1.1
-
cpe:2.3:a:apache:wicket:6.10.0
-
cpe:2.3:a:apache:wicket:6.11.0
-
cpe:2.3:a:apache:wicket:6.12.0
-
cpe:2.3:a:apache:wicket:6.13.0
-
cpe:2.3:a:apache:wicket:6.14.0
-
cpe:2.3:a:apache:wicket:6.15.0
-
cpe:2.3:a:apache:wicket:6.16.0
-
cpe:2.3:a:apache:wicket:6.17.0
-
cpe:2.3:a:apache:wicket:6.18.0
-
cpe:2.3:a:apache:wicket:6.19.0
-
cpe:2.3:a:apache:wicket:6.2.0
-
cpe:2.3:a:apache:wicket:6.20.0
-
cpe:2.3:a:apache:wicket:6.21.0
-
cpe:2.3:a:apache:wicket:6.22.0
-
cpe:2.3:a:apache:wicket:6.23.0
-
cpe:2.3:a:apache:wicket:6.24.0
-
cpe:2.3:a:apache:wicket:6.3.0
-
cpe:2.3:a:apache:wicket:6.4.0
-
cpe:2.3:a:apache:wicket:6.5.0
-
cpe:2.3:a:apache:wicket:6.6.0
-
cpe:2.3:a:apache:wicket:6.7.0
-
cpe:2.3:a:apache:wicket:6.8.0
-
cpe:2.3:a:apache:wicket:6.9.0
-
cpe:2.3:a:apache:wicket:6.9.1