CVE-2016-6806: Apache Wicket vulnerable to CSRF attacks

May 17, 2022 (updated April 23, 2025)

Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 provide a CSRF prevention measure that fails to discover some cross origin requests. The mitigation is to not only check the Origin HTTP header, but also take the Referer HTTP header into account when no Origin was provided. Furthermore, not all Wicket server side targets were subjected to the CSRF check. This was also fixed.

References

github.com/advisories/GHSA-xc66-mg8r-q6r5
github.com/apache/wicket
lists.apache.org/thread.html/074b72585f4b7c6adda1af52aecbfe1be23c6d6f5bb9382270f059cd@%3Cannounce.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2016-6806

Code Behaviors & Features

Detect and mitigate CVE-2016-6806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →