CVE-2023-41329

Name of the Vulnerable Software and Affected Versions WireMock versions prior to 2.35.1 WireMock versions prior to 3.0.3 Python WireMock versions prior to 2.6.1 WireMock Studio (all versions)

Description The issue is related to the proxy mode of WireMock, which can be protected by network restrictions configuration. However, when these restrictions are configured using domain names, the configuration is vulnerable to DNS rebinding attacks. The root cause of the attack is a defect in the logic that allows for a race condition triggered by a DNS server whose address expires between the initial validation and the outbound network request. Control over a DNS service is required to exploit this attack, resulting in high execution complexity and limited impact.

Recommendations For WireMock versions prior to 2.35.1: Upgrade to version 2.35.1 or later, or configure WireMock to use IP addresses instead of domain names, or use external firewall rules to define the list of permitted destinations. For WireMock versions prior to 3.0.3: Upgrade to version 3.0.3 or later, or configure WireMock to use IP addresses instead of domain names, or use external firewall rules to define the list of permitted destinations. For Python WireMock versions prior to 2.6.1: Upgrade to version 2.6.1 or later. For WireMock Studio: Switch to another distribution, as there will be no fix provided, and consider migrating to WireMock Cloud.