{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "6.0.0"
              },
              {
                "last_affected": "6.2.0"
              },
              {
                "introduced": "7.0.0"
              },
              {
                "last_affected": "7.17.0"
              },
              {
                "introduced": "8.0.0"
              },
              {
                "last_affected": "8.11.0"
              },
              {
                "introduced": "9.0.0"
              },
              {
                "last_affected": "9.2.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "0d75ee57abb31b4db48c0396870aba39c4d9ddee"
            },
            {
              "last_affected": "79154ff0ef8c920f586dd88d87dd9afad91b6dac"
            },
            {
              "introduced": "98a3a6295f426aa25a121f914a41bf792df8fdb0"
            },
            {
              "last_affected": "2d92f60565fc0c5d5954ce6f313555b596197d6d"
            },
            {
              "introduced": "5e789f1c98f6d57dba17f896c6220b0202af08a9"
            },
            {
              "last_affected": "34f78c853500356135918ef16356bd669bb96422"
            },
            {
              "introduced": "c2802f3ef8df9833da63d144fb4ad03d59e31acc"
            },
            {
              "last_affected": "bb7560bda91fb06f9c6107530947c73aaf4154db"
            }
          ],
          "repo": "https://github.com/apache/wicket",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself. This issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.",
  "id": "CVE-2021-23937",
  "modified": "2026-04-01T23:10:08.666506276Z",
  "published": "2021-05-25T17:15:08.187Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cannounce.wicket.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r127c0c1f3cb71e5bc619ad1e4b898b97c49758d1f20a54042966473e%40%3Cusers.wicket.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8ccbd91b56ebf045d151bd4282bfeea7842a0698a0b76118fca8fe78%40%3Cdev.wicket.apache.org%3E"
    },
    {
      "type": "ADVISORY",
      "url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}