5.4 Medium
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
0.001 Low
EPSS
Percentile
28.1%
WireMock is vulnerable to Server Side Request Forgery (SSRF). The vulnerability is caused by a failure in filtering target addresses during Webhook proxing even when the allowed address rules and denied address rules are configured, regardless of the limitProxyTargets
settings. This can lead to requests from a webhook being forwarded to an arbitrary service reachable from WireMockβs instance.
CPE | Name | Operator | Version |
---|---|---|---|
wiremock | le | 3.0.0-beta-14 | |
wiremock | le | 2.35.0 | |
wiremock | le | 3.0.0-beta-14 | |
wiremock | le | 2.35.0 |
github.com/advisories/GHSA-hq8w-9w8w-pmx7
github.com/wiremock/wiremock/commit/270501d56b18fa3087d96020500d92d1b32e8cf9
github.com/wiremock/wiremock/releases/tag/2.35.1
github.com/wiremock/wiremock/releases/tag/3.0.0-beta-15
github.com/wiremock/wiremock/releases/tag/3.0.3
github.com/wiremock/wiremock/security/advisories/GHSA-hq8w-9w8w-pmx7
wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses