// For flags

CVE-2023-41327

Controlled SSRF through URL in the WireMock

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first.

Until WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock’s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.

WireMock es una herramienta para imitar servicios HTTP. WireMock se puede configurar para permitir solo el proxy (y por lo tanto la grabación) en ciertas direcciones. Esto se logra mediante una lista de reglas de direcciones permitidas y una lista de reglas de direcciones denegadas, donde la lista permitida se evalúa primero. Hasta WireMock Webhooks Extension 3.0.0-beta-15, el filtrado de direcciones de destino desde el modo proxy NO funcionaba para Webhooks, por lo que los usuarios eran potencialmente vulnerables independientemente de la configuración de `limitProxyTargets`. A través de la configuración de los webhooks de WireMock, las solicitudes POST de un webhook pueden reenviarse a un servicio arbitrario accesible desde la instancia de WireMock. Por ejemplo, si alguien ejecuta el contenedor acoplable WireMock dentro de un clúster privado, puede activar solicitudes POST internas contra APIs no seguras o incluso contra APIs seguras pasando un token, descubierto mediante otro exploit, a través de encabezados de autenticación. Este problema se solucionó en las versiones 2.35.1 y 3.0.3 de wiremock. Wiremock Studio ha sido descontinuado y no se implementará un parche. Los usuarios que no puedan actualizar deben usar reglas de firewall externas para definir la lista de destinos permitidos.

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-08-28 CVE Reserved
  • 2023-09-06 CVE Published
  • 2024-09-26 CVE Updated
  • 2024-10-08 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wiremock
Search vendor "Wiremock"
Studio
Search vendor "Wiremock" for product "Studio"
<= 2.32.0-17
Search vendor "Wiremock" for product "Studio" and version " <= 2.32.0-17"
-
Affected
Wiremock
Search vendor "Wiremock"
Wiremock
Search vendor "Wiremock" for product "Wiremock"
>= 2.0.0 < 2.35.1
Search vendor "Wiremock" for product "Wiremock" and version " >= 2.0.0 < 2.35.1"
-
Affected
Wiremock
Search vendor "Wiremock"
Wiremock
Search vendor "Wiremock" for product "Wiremock"
>= 3.0.0 < 3.0.3
Search vendor "Wiremock" for product "Wiremock" and version " >= 3.0.0 < 3.0.3"
-
Affected