CVE-2023-39967

2023-09-0621:15:13

CWE-918

GitHub_M

web.nvd.nist.gov

cve

wiremock

http services

security

vulnerability

nvd

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.4

Confidence

High

EPSS

0.002

Percentile

56.6%

JSON

WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request might be forwarded to an arbitrary service reachable from WireMock’s instance. There are 3 identified potential attack vectors: via “TestRequester” functionality, webhooks and the proxy mode. As we can control HTTP Method, HTTP Headers, HTTP Data, it allows sending requests with the default level of credentials for the WireMock instance. The vendor has discontinued the affected Wiremock studio product and there will be no fix. Users are advised to find alternatives.

Affected configurations

Nvd

Node

wiremockstudioRange≤2.32.0-17

VendorProductVersionCPE
wiremockstudio*cpe:2.3:a:wiremock:studio:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wiremock	studio	*	cpe:2.3:a:wiremock:studio::::::::

CNA Affected

[
  {
    "vendor": "wiremock",
    "product": "wiremock",
    "versions": [
      {
        "version": "All versions",
        "status": "affected"
      }
    ]
  }
]