CVE-2024-36522
Published: 12 July 2024
Summary
CVE-2024-36522 is a critical-severity Injection (CWE-74) vulnerability in Apache Wicket. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is an instance of CWE-74 in the default configuration of XSLTResourceStream.java, which permits remote code execution through XSLT injection when the component processes input from an untrusted source without validation. The affected software exposes this behavior in versions prior to the listed fixes, and the issue carries a CVSS 3.1 score of 9.8 reflecting network-accessible attack complexity that is low with no required privileges or user interaction.
An unauthenticated attacker can supply a malicious XSLT payload over the network and achieve arbitrary code execution on the target system, resulting in full compromise of confidentiality, integrity, and availability. The attack requires only that the application use the vulnerable default configuration while handling attacker-controlled data.
Public advisories from the Apache project and oss-security lists direct users to upgrade to Wicket versions 10.1.0, 9.18.0, or 8.16.0 to resolve the flaw. The EPSS score has remained flat at 0.0827 with no material rise since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2364
Vulnerability details
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.