Welcome to Apache Wicket

With proper mark-up/logic separation, a POJO data model, and a refreshing lack of XML, Apache Wicket makes developing web-apps simple and enjoyable again. Swap the boilerplate, complex debugging and brittle code for powerful, reusable components written with plain Java and HTML.

Wicket is released under the Apache License, Version 2.0.

CVE-2014-3526 - Apache Wicket Information disclosure vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.11, 6.16.0 and 7.0.0-M2

Description:

When rendering a web page Wicket checks the request url against the one at the render time. It is possible the application to change the page parameters (this includes both the query parameters and parameters encoded into the request path). When the requested url differs with the one at the rendering time Wicket stores the response (i.e. the page markup) at the server side and issues an HTTP redirect to the new url. When the second request comes Wicket just flushes the stored response from the first request into the http output stream. This way the browser address bar shows the updated page parameters. When storing the page markup at the server side Wicket uses as an identifier a pair of the current session id plus the new url. However, Wicket does not check if user session is temporary (i.e. sessionId is null). This could lead to a security issue if two or more users with a temporary session are redirected to the same url at the same time. Then user1 might see the markup for user2 which has overridden the markup for user1 while user1 was following the HTTP redirect. In this way user-sensitive informations can be seen by other users.

The application developers are recommended to upgrade to: - Apache Wicket 1.5.12 - Apache Wicket 6.17.0 - Apache Wicket 7.0.0-M3

Credit: This issue was reported by Andrea Del Bene and Martin Grigorov!

Apache Wicket Team

Wicket 1.5.12 released

This is the twelfth maintenance release of the Wicket 1.5.x series. This release brings over 5 bug fixes and improvements.

<dependency>
    <groupId>org.apache.wicket</groupId>
    <artifactId>wicket-core</artifactId>
    <version>1.5.12</version>
</dependency>

Older news items

  • Apache Wicket 6.17.0 released - 24 Aug 2014
    The Apache Wicket PMC is proud to announce Apache Wicket 6.17.0! This release marks the seventeenth minor release of Wicket 6. Starting with Wicket 6... more
  • Apache Wicket 7.0.0-M3 released - 23 Aug 2014
    We have released the third of a series of milestone releases for Apache Wicket 7. We aim to finalise Wicket 7 over the coming months... more
  • Apache Wicket 6.16.0 released - 21 Jun 2014
    The Apache Wicket PMC is proud to announce Apache Wicket 6.16.0! This release marks the sixteenth minor release of Wicket 6. Starting with Wicket 6... more
  • Apache Wicket 7.0.0-M2 released - 20 Jun 2014
    We have released the first of a series of milestone releases for Apache Wicket 7. We aim to finalise Wicket 7 over the coming months... more
  • Apache Wicket 7.0.0-M1 released - 30 Apr 2014
    We have released the first of a series of milestone releases for Apache Wicket 7. We aim to finalise Wicket 7 over the coming months... more
  • Apache Wicket 6.15.0 released - 23 Apr 2014
    The Apache Wicket PMC is proud to announce Apache Wicket 6.15.0! This release marks the fifteenth minor release of Wicket 6. Starting with Wicket 6... more
  • CVE-2014-0043 - Apache Wicket Information disclosure vulnerability - 21 Feb 2014
    Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Wicket 1.5.10 and 6.13.0 Description: By issuing requests to special urls handled by Wicket it... more
  • Apache Wicket 6.14.0 released - 20 Feb 2014
    The Apache Wicket PMC is proud to announce Apache Wicket 6.14.0! This release marks the fourteenth minor release of Wicket 6. Starting with Wicket 6... more
  • Wicket 1.5.11 released - 06 Feb 2014
    This is the eleventh maintenance release of the Wicket 1.5.x series. This release brings over 34 bug fixes and improvements. Git tag Changelog To use... more
  • Wicket 1.4.23 released - 06 Feb 2014
    This is twenty thirdth release of the Wicket 1.4.x series. This is a security bugfix release on the 1.4.x branch. Read CVE-2013-2055 for more information.... more

# Books about Wicket

The following books are published regarding Apache Wicket (click a cover to learn more about the book):