CVE-2023-41327
Controlled SSRF through URL in the WireMock
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first.
Until WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock’s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.
WireMock es una herramienta para imitar servicios HTTP. WireMock se puede configurar para permitir solo el proxy (y por lo tanto la grabación) en ciertas direcciones. Esto se logra mediante una lista de reglas de direcciones permitidas y una lista de reglas de direcciones denegadas, donde la lista permitida se evalúa primero. Hasta WireMock Webhooks Extension 3.0.0-beta-15, el filtrado de direcciones de destino desde el modo proxy NO funcionaba para Webhooks, por lo que los usuarios eran potencialmente vulnerables independientemente de la configuración de `limitProxyTargets`. A través de la configuración de los webhooks de WireMock, las solicitudes POST de un webhook pueden reenviarse a un servicio arbitrario accesible desde la instancia de WireMock. Por ejemplo, si alguien ejecuta el contenedor acoplable WireMock dentro de un clúster privado, puede activar solicitudes POST internas contra APIs no seguras o incluso contra APIs seguras pasando un token, descubierto mediante otro exploit, a través de encabezados de autenticación. Este problema se solucionó en las versiones 2.35.1 y 3.0.3 de wiremock. Wiremock Studio ha sido descontinuado y no se implementará un parche. Los usuarios que no puedan actualizar deben usar reglas de firewall externas para definir la lista de destinos permitidos.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-08-28 CVE Reserved
- 2023-09-06 CVE Published
- 2023-09-13 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15 | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses | 2023-09-12 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7 | 2023-09-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wiremock Search vendor "Wiremock" | Studio Search vendor "Wiremock" for product "Studio" | <= 2.32.0-17 Search vendor "Wiremock" for product "Studio" and version " <= 2.32.0-17" | - |
Affected
| ||||||
| Wiremock Search vendor "Wiremock" | Wiremock Search vendor "Wiremock" for product "Wiremock" | >= 2.0.0 < 2.35.1 Search vendor "Wiremock" for product "Wiremock" and version " >= 2.0.0 < 2.35.1" | - |
Affected
| ||||||
| Wiremock Search vendor "Wiremock" | Wiremock Search vendor "Wiremock" for product "Wiremock" | >= 3.0.0 < 3.0.3 Search vendor "Wiremock" for product "Wiremock" and version " >= 3.0.0 < 3.0.3" | - |
Affected
| ||||||