CVE-2023-43795 – WPS Server Side Request Forgery in GeoServer
https://notcve.org/view.php?id=CVE-2023-43795
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2. GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. • https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-41339 – Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer
https://notcve.org/view.php?id=CVE-2023-41339
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2. • https://github.com/geoserver/geoserver/releases/tag/2.22.5 https://github.com/geoserver/geoserver/releases/tag/2.23.2 https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-27476 – XML External Entity (XXE) Injection in OWSLib
https://notcve.org/view.php?id=CVE-2023-27476
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. • https://github.com/geopython/OWSLib/pull/863/commits/b92687702be9576c0681bb11cad21eb631b9122f https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc https://lists.debian.org/debian-lts-announce/2023/06/msg00032.html https://securitylab.github.com/advisories/GHSL-2022-131_owslib https://www.debian.org/security/2023/dsa-5426 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-25157 – Unfiltered SQL Injection Vulnerabilities in Geoserver
https://notcve.org/view.php?id=CVE-2023-25157
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse. • https://github.com/dr-cable-tv/Geoserver-CVE-2023-25157 https://github.com/win3zz/CVE-2023-25157 https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158 https://github.com/0x2458bughunt/CVE-2023-25157 https://github.com/7imbitz/CVE-2023-25157-checker https://github.com/Rubikcuv5/CVE-2023-25157 https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-0699
https://notcve.org/view.php?id=CVE-2022-0699
A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc. Se presenta una condición de doble liberación en el archivo contrib/shpsort.c de shapelib versiones 1.5.0 y anteriores. Este problema puede permitir a un atacante causar una denegación de servicio o tener otro impacto no especificado por medio del control de malloc • https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f https://github.com/OSGeo/shapelib/issues/39 • CWE-415: Double Free CWE-416: Use After Free •