CVE-2023-41329: 
Java vulnerability analysis and mitigation

CVE-2023-41329 affects WireMock, a tool for mocking HTTP services. The vulnerability was discovered in the proxy mode and webhook extensions, where network restrictions configuration using domain names is vulnerable to DNS rebinding attacks. The issue was disclosed in September 2023 and affects multiple versions of WireMock, including versions prior to 2.35.1 of wiremock-jre8, versions before 3.0.3 of wiremock, versions before 2.6.1 of the Python version, and various Docker container versions (GitHub Advisory).

The vulnerability stems from a race condition in the logic that can be triggered by a DNS server whose address expires between the initial validation and the outbound network request. This allows requests to potentially reach domains that were supposed to be prohibited. The vulnerability has been assigned a CVSS v3.1 base score of 3.9 (LOW) with the vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L. The issue is classified as CWE-290 (Authentication Bypass by Spoofing) (GitHub Advisory, NVD).

The vulnerability has limited impact due to its high execution complexity and requirement for control over a DNS service. When successfully exploited, it could allow attackers to bypass network restrictions configured using domain names in WireMock's proxy mode and webhook extensions (GitHub Advisory).

The issue has been patched in WireMock version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the Python version, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. For users unable to upgrade, two workarounds are available: configure WireMock to use IP addresses instead of domain names in the outbound URLs subject to DNS rebinding, or use external firewall rules to define the list of permitted destinations (GitHub Advisory).