7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-23937

GHSA ID

GHSA-hmhg-95wh-r699

EPSS Score

0.90978%

CWE

CWE-20

Published

5/24/2022

Updated

8/8/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-23937

CVE-2021-23937: DNS based denial of service in Apache Wicket

A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2021-23937

CVE-2021-23937:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2021-23937

GHSA ID

GHSA-hmhg-95wh-r699

EPSS Score

0.90978%

CWE

CWE-20

Published

5/24/2022

Updated

8/8/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.wicket:wicket-core	maven	>= 9.0.0, < 9.3.0	9.3.0
org.apache.wicket:wicket-core	maven	>= 8.0.0, < 8.12.0	8.12.0
org.apache.wicket:wicket-core	maven	< 7.18.0	7.18.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the getRemoteAddr method's handling of X-Forwarded-For headers. The pre-patch code: 1) Extracted X-Forwarded-For header values, 2) Attempted to resolve them via InetAddress.getByName(), 3) Lacked proper validation of input format. The commit diff shows removal of all X-Forwarded-For processing logic, replacing it with direct use of getRemoteAddr(). The CWE-20 (Input Validation) classification confirms this was an unsanitized input handling issue. The DNS lookup pattern (InetAddress.getByName()) on untrusted header data directly enables the described amplification/DoS scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-23937: DNS based denial of service in Apache Wicket

CVE-2021-23937:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

CVE-2021-23937: DNS based denial of service in Apache Wicket

7.5

7.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2021-23937: DNS based denial of service in Apache Wicket

CVE-2021-23937:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2021-23937: DNS based denial of service in Apache Wicket

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI