{"id":"CVE-2021-23937","details":"A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.","aliases":["GHSA-hmhg-95wh-r699"],"modified":"2026-05-19T00:02:52.062918Z","published":"2021-05-25T17:15:08.187Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/wicket","events":[{"introduced":"0d75ee57abb31b4db48c0396870aba39c4d9ddee"},{"last_affected":"79154ff0ef8c920f586dd88d87dd9afad91b6dac"},{"introduced":"98a3a6295f426aa25a121f914a41bf792df8fdb0"},{"last_affected":"2d92f60565fc0c5d5954ce6f313555b596197d6d"},{"introduced":"5e789f1c98f6d57dba17f896c6220b0202af08a9"},{"last_affected":"34f78c853500356135918ef16356bd669bb96422"},{"introduced":"c2802f3ef8df9833da63d144fb4ad03d59e31acc"},{"last_affected":"bb7560bda91fb06f9c6107530947c73aaf4154db"}],"database_specific":{"cpe":"cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"6.0.0"},{"last_affected":"6.2.0"},{"introduced":"7.0.0"},{"last_affected":"7.17.0"},{"introduced":"8.0.0"},{"last_affected":"8.11.0"},{"introduced":"9.0.0"},{"last_affected":"9.2.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-23937.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}