{"schema_version": "1.6.1", "id": "CVE-2021-23937", "summary": "DNS proxy and possible amplification attack", "details": "A DNS proxy and possible amplification attack vulnerability in WebClientInfo of Apache Wicket allows an attacker to trigger arbitrary DNS lookups from the server when the X-Forwarded-For header is not properly sanitized. This DNS lookup can be engineered to overload an internal DNS server or to slow down request processing of the Apache Wicket application causing a possible denial of service on either the internal infrastructure or the web application itself.\n\nThis issue affects Apache Wicket Apache Wicket 9.x version 9.2.0 and prior versions; Apache Wicket 8.x version 8.11.0 and prior versions; Apache Wicket 7.x version 7.17.0 and prior versions and Apache Wicket 6.x version 6.2.0 and later versions.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Wicket 9.x"}, {"last_affected": "Apache Wicket 9.x"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Wicket 8.x"}, {"last_affected": "Apache Wicket 8.x"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Wicket 7.x"}, {"last_affected": "Apache Wicket 7.x"}]}, {"type": "SEMVER", "events": [{"introduced": "6.2.0"}, {"fixed": "Apache Wicket 6.x*"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/rc2ef22f90793e158cef65a7e370cdbca023c499d1403d65feeca870d%40%3Cusers.wicket.apache.org%3E"}]}