WireMock is a widely used tool for mocking HTTP services, often employed for testing and service virtualization. It includes a powerful feature to record and replay HTTP requests, which can be leveraged to uncover application vulnerabilities. However, until version 3..-beta-15 of the WireMock Webhooks Extension, a security vulnerability existed that potentially allowed unauthorized users to proxy POST requests to arbitrary services without proper filtering of target addresses.
This article outlines the details of the CVE-2023-41327 vulnerability, the affected WireMock versions, and recommended resolutions.
Vulnerability Details
The issue arises when WireMock is configured to limit the proxying feature to certain addresses. This is usually done via a list of allowed address rules and a list of denied address rules, where the allowed list is evaluated first.
Here's an example of how the limitProxyTargets configuration might be set in a WireMock instance
{
"limitProxyTargets": [
{
"rule": "allow",
"destinations": ["allowed-host.com", "example.com"]
},
{
"rule": "deny",
"destinations": ["*"]
}
]
}
However, until WireMock Webhooks Extension 3..-beta-15, this filtering did not work for webhook POST requests originating from an allowed address. As a result, the POST request could potentially be forwarded to any reachable service from WireMock’s instance, whether it was in the allowed list or not.
This vulnerability is particularly dangerous when WireMock is deployed within a private cluster as it may expose internal APIs to unauthorized access. An attacker might exploit this to trigger internal POST requests against unsecured APIs, or even against secured ones by sniffing authentication tokens from other requests.
Resolution and Recommendations
This vulnerability is fixed in WireMock versions 2.35.1 and 3..3, and WireMock Webhooks Extension 3..-beta-15. Users should upgrade their WireMock instances as soon as possible to protect against this vulnerability.
For those unable to upgrade, it is highly recommended to enforce external firewall rules to define the list of permitted destinations and mitigate the risk of unauthorized proxying.
For more information, see the following references
- Original WireMock GitHub Issue
- WireMock Changelog
- WireMock Webhooks Extension GitHub Repository
Conclusion
CVE-2023-41327 is a critical vulnerability affecting WireMock's ability to correctly enforce access controls for proxying webhook POST requests. Users of WireMock versions prior to 2.35.1 or WireMock Webhooks Extension versions prior to 3..-beta-15 should update their instances to protect against unauthorized proxying or, if upgrading is not an option, use external firewall rules to safeguard HTTP service access.
Timeline
Published on: 09/06/2023 21:15:00 UTC
Last modified on: 09/12/2023 20:43:00 UTC