3.0.3-1 - Security Release

🔒 Security

This security release addresses the following issues

• CVE-2023-41327 - Controlled SSRF through URL in the WireMock Webhooks Extension and WireMock Studio
  • Overall CVSS Score: 4.3 (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L/E:F/RL:O/RC:C)
• CVE-2023-41329 - Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes
  • Overall CVSS Score: 3.6 (AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C)

NOTE: WireMock Studio, a proprietary distribution discontinued in 2022, is also affected by those issues and also affected by CVE-2023-39967 - Overall CVSS Score 8.6 - “Controlled and full-read SSRF through URL parameter when testing a request, webhooks and proxy mode”. The fixes will not be provided. The vendor recommends migrating to WireMock Cloud which is available as SaaS and private beta for on-premises deployments

👻 Maintenance

• Create release Pipeline for 2.x (#83) @oleg-nenashev
• Remove broken DockerHub description updater from the release pipeline (#82) @oleg-nenashev

🔗 Related releases

• WireMock Docker 3.0.3-1 - Docker Image with the Patch
• WireMock 2.35.1 / WireMock Docker 2.35.1-1 - Backport to WireMock 2.x
• Python WireMock 2.6.1 - Python library that bundles the WireMock JAR file
• NOTE: Other distributions like Testcontainers modules or Helm chart need explicit version declaration, and hence a user action is needed to update the dependencies should they be considered a risk