Authentication Bypass by Spoofing
CVE-2023-41329
Summary
WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restriction configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to DNS re-binding attacks. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This vulnerability affects "org.wiremock:wiremock", and "org.wiremock:wiremock-standalone" packages in versions 3.0.0-beta-11 through 3.0.2, "com.github.tomakehurst:wiremock-jre8", and "com.github.tomakehurst:wiremock-jre8-standalone" packages in versions through 2.35.0, and 3.0.0-beta-1 through 3.0.0-beta-10 python wiremock versions through 2.6.0, and wiremock/wiremock Docker Container in versions through 2.35.0-1, and 3.x through 3.0.2-1 Users are advised to upgrade. Users who are unable to upgrade, should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of domain names.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- HIGH
- HIGH
- HIGH
CWE-290 - Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
References
Advisory Timeline
- Published