CVE-2023-41327 (GCVE-0-2023-41327)
Vulnerability from cvelistv5
Published
2023-09-06 20:38
Modified
2024-09-26 15:51
Severity ?
4.6 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Summary
WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. Until WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock’s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.
References
Impacted products
Vendor Product Version
wiremock wiremock Version: org.wiremock:wiremock-webhooks-extension: >= 2.0.0, < 2.35.1
Version: org.wiremock:wiremock-webhooks-extension: >= 3.0.0, < 3.0.3
Version: wiremock-studio: All versions
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:01:33.620Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7"
          },
          {
            "name": "https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15"
          },
          {
            "name": "https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41327",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T15:46:25.886203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T15:51:46.334Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wiremock",
          "vendor": "wiremock",
          "versions": [
            {
              "status": "affected",
              "version": " org.wiremock:wiremock-webhooks-extension: \u003e= 2.0.0, \u003c 2.35.1"
            },
            {
              "status": "affected",
              "version": " org.wiremock:wiremock-webhooks-extension: \u003e= 3.0.0, \u003c 3.0.3"
            },
            {
              "status": "affected",
              "version": " wiremock-studio: All versions"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. \n\nUntil WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock\u2019s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-06T20:38:45.161Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7"
        },
        {
          "name": "https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15"
        },
        {
          "name": "https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses"
        }
      ],
      "source": {
        "advisory": "GHSA-hq8w-9w8w-pmx7",
        "discovery": "UNKNOWN"
      },
      "title": "Controlled SSRF through URL in the WireMock"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-41327",
    "datePublished": "2023-09-06T20:38:45.161Z",
    "dateReserved": "2023-08-28T16:56:43.366Z",
    "dateUpdated": "2024-09-26T15:51:46.334Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41327\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-06T21:15:14.323\",\"lastModified\":\"2024-11-21T08:21:04.903\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. \\n\\nUntil WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock\u2019s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.\"},{\"lang\":\"es\",\"value\":\"WireMock es una herramienta para imitar servicios HTTP. WireMock se puede configurar para permitir solo el proxy (y por lo tanto la grabaci\u00f3n) en ciertas direcciones. Esto se logra mediante una lista de reglas de direcciones permitidas y una lista de reglas de direcciones denegadas, donde la lista permitida se eval\u00faa primero. Hasta WireMock Webhooks Extension 3.0.0-beta-15, el filtrado de direcciones de destino desde el modo proxy NO funcionaba para Webhooks, por lo que los usuarios eran potencialmente vulnerables independientemente de la configuraci\u00f3n de `limitProxyTargets`. A trav\u00e9s de la configuraci\u00f3n de los webhooks de WireMock, las solicitudes POST de un webhook pueden reenviarse a un servicio arbitrario accesible desde la instancia de WireMock. Por ejemplo, si alguien ejecuta el contenedor acoplable WireMock dentro de un cl\u00faster privado, puede activar solicitudes POST internas contra APIs no seguras o incluso contra APIs seguras pasando un token, descubierto mediante otro exploit, a trav\u00e9s de encabezados de autenticaci\u00f3n. Este problema se solucion\u00f3 en las versiones 2.35.1 y 3.0.3 de wiremock. Wiremock Studio ha sido descontinuado y no se implementar\u00e1 un parche. Los usuarios que no puedan actualizar deben usar reglas de firewall externas para definir la lista de destinos permitidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wiremock:studio:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.32.0-17\",\"matchCriteriaId\":\"94D6D047-97F7-4326-AAF8-09ACB980D549\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wiremock:wiremock:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.35.1\",\"matchCriteriaId\":\"418B9CC0-59C9-4560-9E92-5C0B1D547916\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wiremock:wiremock:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.3\",\"matchCriteriaId\":\"5E2F15FC-7298-49C1-9C37-6B0AE0C5B272\"}]}]}],\"references\":[{\"url\":\"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\", \"name\": \"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\", \"name\": \"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\", \"name\": \"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:01:33.620Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41327\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T15:46:25.886203Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T15:51:43.175Z\"}}], \"cna\": {\"title\": \"Controlled SSRF through URL in the WireMock\", \"source\": {\"advisory\": \"GHSA-hq8w-9w8w-pmx7\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"wiremock\", \"product\": \"wiremock\", \"versions\": [{\"status\": \"affected\", \"version\": \" org.wiremock:wiremock-webhooks-extension: \u003e= 2.0.0, \u003c 2.35.1\"}, {\"status\": \"affected\", \"version\": \" org.wiremock:wiremock-webhooks-extension: \u003e= 3.0.0, \u003c 3.0.3\"}, {\"status\": \"affected\", \"version\": \" wiremock-studio: All versions\"}]}], \"references\": [{\"url\": \"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\", \"name\": \"https://github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\", \"name\": \"https://github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\", \"name\": \"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WireMock is a tool for mocking HTTP services. WireMock can be configured to only permit proxying (and therefore recording) to certain addresses. This is achieved via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first. \\n\\nUntil WireMock Webhooks Extension 3.0.0-beta-15, the filtering of target addresses from the proxy mode DID NOT work for Webhooks, so the users were potentially vulnerable regardless of the `limitProxyTargets` settings. Via the WireMock webhooks configuration, POST requests from a webhook might be forwarded to an arbitrary service reachable from WireMock\\u2019s instance. For example, If someone is running the WireMock docker Container inside a private cluster, they can trigger internal POST requests against unsecured APIs or even against secure ones by passing a token, discovered using another exploit, via authentication headers. This issue has been addressed in versions 2.35.1 and 3.0.3 of wiremock. Wiremock studio has been discontinued and will not see a fix. Users unable to upgrade should use external firewall rules to define the list of permitted destinations.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-06T20:38:45.161Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-41327\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T15:51:46.334Z\", \"dateReserved\": \"2023-08-28T16:56:43.366Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-06T20:38:45.161Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.