Description
Directory traversal vulnerability in Apache Wicket 1.4.x before 1.4.20 and 1.5.x before 1.5.5 allows remote attackers to read arbitrary web-application files via a relative pathname in a URL for a Wicket resource that corresponds to a null package.
Affected products
- apache / wicket1.4.0 – 1.4.0
- apache / wicket1.4.1 – 1.4.1
- apache / wicket1.4.2 – 1.4.2
- apache / wicket1.4.3 – 1.4.3
- apache / wicket1.4.4 – 1.4.4
- apache / wicket1.4.5 – 1.4.5
- apache / wicket1.4.6 – 1.4.6
- apache / wicket1.4.7 – 1.4.7
- apache / wicket1.4.8 – 1.4.8
- apache / wicket1.4.9 – 1.4.9
- apache / wicket1.4.10 – 1.4.10
- apache / wicket1.4.11 – 1.4.11
- apache / wicket1.4.12 – 1.4.12
- apache / wicket1.4.13 – 1.4.13
- apache / wicket1.4.14 – 1.4.14
- apache / wicket1.4.15 – 1.4.15
- apache / wicket1.4.16 – 1.4.16
- apache / wicket1.4.17 – 1.4.17
- apache / wicket1.4.18 – 1.4.18
- apache / wicket1.4.19 – 1.4.19
- apache / wicket1.5.0 – 1.5.0
- apache / wicket1.5.1 – 1.5.1
- apache / wicket1.5.2 – 1.5.2
- apache / wicket1.5.3 – 1.5.3
- apache / wicket1.5.4 – 1.5.4