Apache Wicket Addresses Critical RCE Vulnerability (CVE-2024-36522)

The Apache Wicket Project Management Committee (PMC) has released security updates for their widely-used Java web application framework, addressing a critical remote code execution vulnerability (CVE-2024-36522). The flaw, discovered in earlier versions of Apache Wicket, stemmed from a potential XSLT injection attack, enabling malicious actors to execute arbitrary code on affected systems.

Apache Wicket is a popular open-source framework powering thousands of web applications and websites worldwide. Its user-friendly, component-oriented design has made it a favorite among developers in diverse sectors, including government, education, finance, and e-commerce.

The vulnerability, classified as critical, could have allowed attackers to gain control over vulnerable web applications and potentially compromise sensitive data. By injecting malicious XSLT code, attackers could exploit the framework’s functionality to execute harmful commands on the server-side.

The Apache Wicket PMC has promptly addressed the issue by releasing updated versions 9.18.0 and 10.1.0, which include a patch for CVE-2024-36522. It is crucial for organizations and individuals utilizing Apache Wicket to upgrade to these latest versions immediately.

Alongside the security fix, the new releases also bring bug fixes, new features, and improvements to enhance the framework’s functionality and user experience. These include:

• 9.18.0: Fixes for live session errors and minification issues, a new ready-to-use dropdown component, and auto-label updates.
• 10.1.0: Fixes for Greek i18n, websocket exceptions, and enhanced ModalDialog API. Additionally, it provides better debugging information in locking scenarios.