:loudspeaker: <!channel> Please be informed that ...
# announcements
📢 <!channel> Please be informed that we have released security fixes for WireMock and WireMock Webhooks Extension to mitigate potential SSRF and DNS rebinding issues that potentially impact the proxy/recorder mode and the webhooks (CVSS 4.3 and CVSS 3.6 respectively). We recommend updating to WireMock 2.35.1 or 3.0.3 if you use WireMock to communicate with external services or deploy WireMock in environments with potential unprivileged access to other services. Advisory links: • CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio ◦ Overall CVSS Score: 4.3 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C) • CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes ◦ Overall CVSS Score: 3.6 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C) WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and has a similar SSRF full read vulnerability in the unprotected Test Requester that also allows retrieving data (CVSS 8.6) - CVE-2023-39967. The fixes will not be provided. WireMock Inc recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments. If you use WireMock Studio and need assistance with migration to another distribution, contact the vendor. Related releases: • https://github.com/wiremock/wiremock/releases/tag/3.0.3https://github.com/wiremock/wiremock/releases/tag/2.35.1https://github.com/wiremock/wiremock-docker/releases/tag/3.0.3-1https://github.com/wiremock/wiremock-docker/releases/tag/2.35.1-1https://github.com/wiremock/python-wiremock/releases/tag/2.6.1