{"url":"http://public2.vulnerablecode.io/api/packages/635933?format=json","purl":"pkg:maven/com.github.tomakehurst/wiremock-jre8-standalone@2.26.2","type":"maven","namespace":"com.github.tomakehurst","name":"wiremock-jre8-standalone","version":"2.26.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.35.1","latest_non_vulnerable_version":"2.35.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35667?format=json","vulnerability_id":"VCID-k79n-6kam-4yaq","summary":"Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes\n### Impact\n\nThe proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in [Preventing proxying to and recording from specific target addresses](https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses). These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions.\n\nThe root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact.\n\n### Affected versions\n\n- WireMock 3,x until 3.0.3 (security patch), on default settings in environments with access to the network\n- WireMock 2.x until 2.35.1 (security patch), on default settings in environments with access to the network\n- Python WireMock until 2.6.1\n- WireMock Studio - all versions, this proprietary product was discontinued in 2022\n\n\n### Patches\n\n- WireMock 3.0.3 + the 3.0.3-1 Docker image\n- WireMock 2.35.1 + the 2.35.1-1 Docker image - backport to WireMock 2.x\n- Python WireMock 2.6.1\n\n### Workarounds\n\nFor WireMock:\n\n- Option 1: Configure WireMock to use IP addresses instead of the domain names in the outbound URLs subject to DNS rebinding\n- Option 2: Use external firewall rules to define the list of permitted destinations\n\nFor WireMock Studio: N/A. Switch to another distribution, there will be no fix provided. The vendor of former WireMock Studio recommends migration to [WireMock Cloud](https://www.wiremock.io/product)\n\n### References\n\n- CVE-2023-41327 - Related issue in the WireMock Webhooks Extension","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41329","reference_id":"","reference_type":"","scores":[{"value":"0.00331","scoring_system":"epss","scoring_elements":"0.56236","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41329"},{"reference_url":"https://github.com/wiremock/wiremock","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/wiremock/wiremock"},{"reference_url":"https://github.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:43:46Z/"}],"url":"https://github.com/wiremock/wiremock/security/advisories/GHSA-pmxq-pj47-j8j4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41329","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41329"},{"reference_url":"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses","reference_id":"","reference_type":"","scores":[{"value":"3.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-26T14:43:46Z/"}],"url":"https://wiremock.org/docs/configuration/#preventing-proxying-to-and-recording-from-specific-target-addresses"},{"reference_url":"https://github.com/advisories/GHSA-pmxq-pj47-j8j4","reference_id":"GHSA-pmxq-pj47-j8j4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pmxq-pj47-j8j4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67878?format=json","purl":"pkg:maven/com.github.tomakehurst/wiremock-jre8-standalone@2.35.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.tomakehurst/wiremock-jre8-standalone@2.35.1"}],"aliases":["CVE-2023-41329","GHSA-pmxq-pj47-j8j4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k79n-6kam-4yaq"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.github.tomakehurst/wiremock-jre8-standalone@2.26.2"}