CVE-2023-41327: 
Java vulnerability analysis and mitigation

WireMock, a tool for mocking HTTP services, disclosed a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2023-41327. The vulnerability affects WireMock Webhooks Extension versions 2.x before 2.35.1, 3.x before 3.0.3, and all versions of WireMock Studio. The issue was discovered and reported by multiple security researchers and was publicly disclosed on September 6, 2023 (GitHub Advisory).

The vulnerability stems from a failure in the proxy target filtering mechanism within the WireMock Webhooks Extension. While WireMock can be configured to limit proxying to specific addresses through allowed and denied address rules, this filtering did not work for Webhooks until version 3.0.0-beta-15. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L according to NVD assessment (NVD).

Through the WireMock webhooks configuration, an attacker could potentially forward POST requests to arbitrary services reachable from the WireMock instance. This is particularly concerning in private cluster deployments, where attackers could trigger internal POST requests against unsecured APIs or even secured ones by passing discovered authentication tokens via headers (GitHub Advisory).

The vulnerability has been patched in WireMock versions 2.35.1 and 3.0.3. For users unable to upgrade, it is recommended to use external firewall rules to define the list of permitted destinations. WireMock Studio users are advised to migrate to other distributions as it has been discontinued and will not receive a fix. The vendor recommends migration to WireMock Cloud, which has been confirmed not to be vulnerable to this issue (GitHub Advisory).