Wiremock-3.12.1.jar: 2 Vulnerabilities (highest Severity Is: 4.3)

by ADMIN 66 views

Wiremock-3.12.1.jar: 2 Vulnerabilities (Highest Severity is: 4.3)

Introduction

Wiremock is a popular Java library used for mocking HTTP requests and responses. However, recent versions of Wiremock have been found to contain vulnerabilities that can be exploited by attackers. In this article, we will discuss two vulnerabilities found in Wiremock-3.12.1.jar, including their severity, impact, and suggested fixes.

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (Wiremock version) Remediation Possible
CVE-2024-47554 Medium 4.3 commons-io-2.11.0.jar Transitive N/A
CVE-2024-6763 Low 3.7 detected in multiple dependencies Transitive N/A

CVE-2024-47554: Uncontrolled Resource Consumption Vulnerability

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. However, the org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0.

CVE Details

  • Publish Date: 2024-10-03
  • URL: https://www.mend.io/vulnerability-database/CVE-2024-47554
  • CVSS 3 Score Details:
    • Base Score Metrics:
      • Attack Vector: Network
      • Attack Complexity: Low
      • Privileges Required: None
      • User Interaction: Required
      • Scope: Unchanged
    • Impact Metrics:
      • Confidentiality Impact: None
      • Integrity Impact: None
      • Availability Impact: Low

Suggested Fix

CVE-2024-6763: Insufficient Validation Vulnerability

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine. However, the HttpURI class does insufficient validation on the authority segment of a URI. This can lead to a combination of Jetty and a vulnerable browser being vulnerable to an open redirect attack or to a SSRF attack if the URI is used after passing validation checks.

CVE Details

  • Publish Date: 2024-10-14
  • URL: https://www.mend.io/vulnerability-database/CVE-2024-6763
  • CVSS 3 Score Details:
    • Base Score Metrics:
      • Attack Vector: Network
      • Attack Complexity: High
      • Privileges Required: None
      • User Interaction: None
      • Scope: Unchanged
    • Impact Metrics:
      • Confidentiality Impact: None
      • Integrity Impact: Low
      • Availability Impact: None

Suggested Fix

Conclusion

Wiremock-3.12.1.jar contains two vulnerabilities, CVE-2024-47554 and CVE-2024-6763, which can be exploited by attackers. The severity of these vulnerabilities is medium and low, respectively. To fix these vulnerabilities, users should upgrade to the latest version of Wiremock, which includes the necessary patches. Additionally, users should ensure that their dependencies are up-to-date and free from vulnerabilities.
Wiremock-3.12.1.jar: 2 Vulnerabilities (Highest Severity is: 4.3) - Q&A

Q: What are the two vulnerabilities found in Wiremock-3.12.1.jar?

A: The two vulnerabilities found in Wiremock-3.12.1.jar are CVE-2024-47554 and CVE-2024-6763. CVE-2024-47554 is a medium-severity vulnerability that affects the Apache Commons IO library, while CVE-2024-6763 is a low-severity vulnerability that affects the Eclipse Jetty library.

Q: What is the impact of CVE-2024-47554?

A: CVE-2024-47554 is an uncontrolled resource consumption vulnerability that can cause the org.apache.commons.io.input.XmlStreamReader class to excessively consume CPU resources when processing maliciously crafted input. This can lead to a denial-of-service (DoS) attack.

Q: What is the impact of CVE-2024-6763?

A: CVE-2024-6763 is an insufficient validation vulnerability that can lead to a combination of Jetty and a vulnerable browser being vulnerable to an open redirect attack or to a SSRF attack if the URI is used after passing validation checks.

Q: How can I fix CVE-2024-47554?

A: To fix CVE-2024-47554, you should upgrade to the latest version of Wiremock, which includes the necessary patches. Additionally, you should ensure that your dependencies are up-to-date and free from vulnerabilities.

Q: How can I fix CVE-2024-6763?

A: To fix CVE-2024-6763, you should upgrade to the latest version of Wiremock, which includes the necessary patches. Additionally, you should ensure that your dependencies are up-to-date and free from vulnerabilities.

Q: What is the CVSS 3 score for CVE-2024-47554?

A: The CVSS 3 score for CVE-2024-47554 is 4.3, which indicates a medium-severity vulnerability.

Q: What is the CVSS 3 score for CVE-2024-6763?

A: The CVSS 3 score for CVE-2024-6763 is 3.7, which indicates a low-severity vulnerability.

Q: What are the base score metrics for CVE-2024-47554?

A: The base score metrics for CVE-2024-47554 are:

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged

Q: What are the base score metrics for CVE-2024-6763?

A: The base score metrics for CVE-2024-6763 are:

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged

Q: What are the impact metrics for CVE-2024-47554?

A: The impact metrics for CVE-2024-47554 are:

  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Q: What are the impact metrics for CVE-2024-6763?

A: The impact metrics for CVE-2024-6763 are:

  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Q: Where can I find more information about CVE-2024-47554?

A: You can find more information about CVE-2024-47554 on the following websites:

Q: Where can I find more information about CVE-2024-6763?

A: You can find more information about CVE-2024-6763 on the following websites: