CVE-2014-0043: Apache Wicket allows attackers to check for third-party libraries

May 17, 2022 (updated April 23, 2025)

In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use.

References

github.com/advisories/GHSA-244g-8368-6wr9
github.com/apache/wicket
lists.apache.org/thread.html/d95e962f2f059a09f5abf7086c3f4ed22d2ae2c21499d0de95d4435d@1392986987@%3Cannounce.wicket.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2014-0043

Code Behaviors & Features

Detect and mitigate CVE-2014-0043 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →