Home > Vulnerability Database > CVE-2023-39967

Mend.io Vulnerability Database

CVE-2023-39967

Date: September 6, 2023

WireMock is a tool for mocking HTTP services. When certain request URLs like “@127.0.0.1:1234" are used in WireMock Studio configuration fields, the request might be forwarded to an arbitrary service reachable from WireMock’s instance. There are 3 identified potential attack vectors: via “TestRequester” functionality, webhooks and the proxy mode. As we can control HTTP Method, HTTP Headers, HTTP Data, it allows sending requests with the default level of credentials for the WireMock instance. The vendor has discontinued the affected Wiremock studio product and there will be no fix. Users are advised to find alternatives.

Language: Java

Severity Score

10.0

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-39967

Url: https://github.com/wiremock/wiremock/security/advisories/GHSA-676j-xrv3-73vc

Url: https://www.mend.io/vulnerability-database/CVE-2023-39967

Severity Score

10.0

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-39967

Date: September 6, 2023

Language: Java

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?