WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request might be forwarded to an arbitrary service reachable from WireMock’s instance. There are 3 identified potential attack vectors: via “TestRequester” functionality, webhooks and the proxy mode. As we can control HTTP Method, HTTP Headers, HTTP Data, it allows sending requests with the default level of credentials for the WireMock instance. The vendor has discontinued the affected Wiremock studio product and there will be no fix. Users are advised to find alternatives.
History

Thu, 26 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wiremock wiremock
CPEs cpe:2.3:a:wiremock:wiremock:*:*:*:*:*:*:*:*
Vendors & Products Wiremock wiremock
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-06T20:40:43.679Z

Updated: 2024-09-26T15:11:42.697Z

Reserved: 2023-08-07T16:27:27.077Z

Link: CVE-2023-39967

cve-icon Vulnrichment

Updated: 2024-08-02T18:18:10.120Z

cve-icon NVD

Status : Modified

Published: 2023-09-06T21:15:13.320

Modified: 2024-11-21T08:16:08.490

Link: CVE-2023-39967

cve-icon Redhat

No data.