XXE attack in WireMock - CVE-2018-9116
Published: April 25, 2018 / Updated: April 25, 2018
Vulnerability identifier: #VU12143
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-9116
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Tom Akehurst
Affected software:
WireMock
WireMock
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to the inclusion of remote Document Type Definition (DTD) documents when using XPath or XML matching. A remote attacker can send a specially crafted request, trigger CPU saturation and cause the service to crash.
The weakness exists due to the inclusion of remote Document Type Definition (DTD) documents when using XPath or XML matching. A remote attacker can send a specially crafted request, trigger CPU saturation and cause the service to crash.
How to mitigate CVE-2018-9116
Update to version 2.16.0.