VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Sep 15, 2017· Updated May 13, 2026

CVE-2014-7808

CVE-2014-7808

Description

Apache Wicket before 1.5.13, 6.x before 6.19.0, and 7.x before 7.0.0-M5 make it easier for attackers to defeat a cryptographic protection mechanism and predict encrypted URLs by leveraging use of CryptoMapper as the default encryption provider.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.wicket:wicket-coreMaven
< 1.5.131.5.13
org.apache.wicket:wicket-coreMaven
>= 6.0.0-beta1, < 6.19.06.19.0
org.apache.wicket:wicket-coreMaven
>= 7.0.0-M1, < 7.0.0-M57.0.0-M5

Affected products

6
  • Apache/Wicket6 versions
    cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*range: >=1.5.0,<1.5.13
    • cpe:2.3:a:apache:wicket:7.0.0:milestone1:*:*:*:*:*:*
    • cpe:2.3:a:apache:wicket:7.0.0:milestone2:*:*:*:*:*:*
    • cpe:2.3:a:apache:wicket:7.0.0:milestone3:*:*:*:*:*:*
    • cpe:2.3:a:apache:wicket:7.0.0:milestone4:*:*:*:*:*:*
    • cpe:2.3:a:apache:wicket:7.0.0:milestone5:*:*:*:*:*:*

Patches

1
d2b8848346b8

WICKET-5756 Allow to use custom ciphers when using SunJceCrypt class

https://github.com/apache/wicketMartin Tzvetanov GrigorovNov 25, 2014via ghsa
commit
2 files changed · +14 4
  • wicket-core/src/main/java/org/apache/wicket/settings/def/SecuritySettings.java+2 2 modified
    @@ -23,8 +23,8 @@
 import org.apache.wicket.authorization.IUnauthorizedComponentInstantiationListener;
 import org.apache.wicket.authorization.UnauthorizedInstantiationException;
 import org.apache.wicket.settings.ISecuritySettings;
-import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
 import org.apache.wicket.util.crypt.ICryptFactory;
+import org.apache.wicket.util.crypt.KeyInSessionSunJceCryptFactory;
 
 /**
  * @author Jonathan Locke
@@ -85,7 +85,7 @@ public synchronized ICryptFactory getCryptFactory()
 	{
 		if (cryptFactory == null)
 		{
-			cryptFactory = new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY);
+			cryptFactory = new KeyInSessionSunJceCryptFactory();
 		}
 		return cryptFactory;
 	}
  • wicket-core/src/test/java/org/apache/wicket/request/mapper/CryptoMapperTest.java+12 2 modified
    @@ -24,6 +24,10 @@
 import org.apache.wicket.request.handler.RenderPageRequestHandler;
 import org.apache.wicket.request.handler.resource.ResourceReferenceRequestHandler;
 import org.apache.wicket.request.mapper.parameter.PageParameters;
+import org.apache.wicket.settings.ISecuritySettings;
+import org.apache.wicket.util.IProvider;
+import org.apache.wicket.util.crypt.CachingSunJceCryptFactory;
+import org.apache.wicket.util.crypt.ICrypt;
 import org.apache.wicket.util.string.StringValue;
 import org.apache.wicket.util.tester.DummyHomePage;
 import org.apache.wicket.util.tester.WicketTester;
@@ -63,7 +67,13 @@ public void before() throws Exception
 		tester = new WicketTester();
 		WebApplication webApplication = tester.getApplication();
 		webApplication.mountPage(EXPECTED_URL.toString(), DummyHomePage.class);
-		mapper = new CryptoMapper(webApplication.getRootRequestMapper(), webApplication);
+		mapper = new CryptoMapper(webApplication.getRootRequestMapper(),  new IProvider<ICrypt>()
+		{
+			public ICrypt get()
+			{
+				return new CachingSunJceCryptFactory(ISecuritySettings.DEFAULT_ENCRYPTION_KEY).newCrypt();
+			}
+		});
 	}
 
 	/**
@@ -261,4 +271,4 @@ public void resourceReferenceWithLessSegments()
 		assertEquals(getClass(), handler.getResourceReference().getScope());
 		assertEquals("less-crypt.txt", handler.getResourceReference().getName());
 	}
-}
\ No newline at end of file
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.