CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-51444 – GeoServer arbitrary file upload vulnerability in REST Coverage Store API
https://notcve.org/view.php?id=CVE-2023-51444
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Coverage stores that are configured using relative paths use a GeoServer Resource implementation that has validation to prevent path traversal but coverage stores that are configured using absolute paths use a different Resource implementation that does not prevent path traversal. This vulnerability can lead to executing arbitrary code. An administrator with limited privileges could also potentially exploit this to overwrite GeoServer security files and obtain full administrator privileges. • https://github.com/geoserver/geoserver/commit/ca683170c669718cb6ad4c79e01b0451065e13b8 https://github.com/geoserver/geoserver/commit/fe235b3bb1d7f05751a4a2ef5390c36f5c9e78ae https://github.com/geoserver/geoserver/pull/7222 https://github.com/geoserver/geoserver/security/advisories/GHSA-9v5q-2gwq-q9hq https://osgeo-org.atlassian.net/browse/GEOS-11176 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41877 – GeoServer log file path traversal vulnerability
https://notcve.org/view.php?id=CVE-2023-41877
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location. The admin console GeoServer Logs page provides a preview of these contents. As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not received a patch as of time of publication. As a workaround, a system administrator responsible for running GeoServer can use the `GEOSERVER_LOG_FILE` setting to override any configuration option provided by the Global Settings page. • https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location https://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 28%CPEs: 2EXPL: 0CVE-2023-43795 – WPS Server Side Request Forgery in GeoServer
https://notcve.org/view.php?id=CVE-2023-43795
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2. GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. • https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-41339 – Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer
https://notcve.org/view.php?id=CVE-2023-41339
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2. • https://github.com/geoserver/geoserver/releases/tag/2.22.5 https://github.com/geoserver/geoserver/releases/tag/2.23.2 https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 68%CPEs: 5EXPL: 6CVE-2023-25157 – Unfiltered SQL Injection Vulnerabilities in Geoserver
https://notcve.org/view.php?id=CVE-2023-25157
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse. • https://github.com/dr-cable-tv/Geoserver-CVE-2023-25157 https://github.com/win3zz/CVE-2023-25157 https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158 https://github.com/0x2458bughunt/CVE-2023-25157 https://github.com/7imbitz/CVE-2023-25157-checker https://github.com/Rubikcuv5/CVE-2023-25157 https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •