🔒 Security
This security release addresses the following issues
- CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
- Overall CVSS Score: 4.3 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
- CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
- Overall CVSS Score: 3.6 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)
NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments
👻 Maintenance
- Create release Pipeline for 2.x (#83) @oleg-nenashev
- Remove broken DockerHub description updater from the release pipeline (#82) @oleg-nenashev
🔗 Related releases
- WireMock Docker 3.0.3-1 - Docker Image with the Patch
- WireMock 2.35.1 / WireMock Docker 2.35.1-1 - Backport to WireMock 2.x
- Python WireMock 2.6.1 - Python library that bundles the WireMock JAR file
- NOTE: Other distributions like Testcontainers modules or Helm chart need explicit version declaration, and hence a user action is needed to update the dependencies should they be considered a risk