Description

WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Until WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock’s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.

Remediation

References

https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15

https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7

https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses

Related Vulnerabilities

CVE-2022-36313 Vulnerability in maven package org.webjars.npm:file-type

CVE-2022-36097 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui

CVE-2023-3894 Vulnerability in maven package com.fasterxml.jackson.dataformat:jackson-dataformat-toml

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-jdk14

CVE-2023-37964 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox

Severity

Medium

Classification

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Tags

Release Notes Vendor Advisory Patch NVD-CWE-noinfo