Closed CVEDetect closed 3 years ago
@sebfz1 Could please help me check this issue? May I pull a request to fix it? Thanks again.
@CVEDetect I am not sure whether you are a bot or not. You should use wicket-jquery-ui-8.13.0 or wicket-jquery-ui-9.4.0. 8.0.0-M9 is way too old.
ok, these two versions no problem, Thanks.
I thought it was a GitHub bot, thanks Martin! :)
Hi, In wicket-jquery-ui-wicket-jquery-ui-8.0.0-M9/wicket-jquery-ui-calendar,there is a dependency org.apache.wicket:wicket-core:8.0.0-M9 that calls the risk method.
CVE-2021-23937
The scope of this CVE affected version is [9.0.0,9.3.0),[8.0.0,8.12.0),[6.2.0,7.18.0)
After further analysis, in this project, the main Api called is <org.apache.wicket.protocol.http.request.WebClientInfo: java.lang.String getRemoteAddr(org.apache.wicket.request.cycle.RequestCycle)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.