CVE-2023-41339

Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.

GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. La especificación WMS define un parámetro ``sld=`` para las operaciones GetMap, GetLegendGraphic y GetFeatureInfo para el "estilo dinámico" proporcionado por el usuario. Habilitar el uso de estilos dinámicos, sin configurar también comprobaciones de URL, brinda la oportunidad de Server-Side Request Forgery (SSRF). Esta vulnerabilidad se puede utilizar para robar hashes NetNTLMv2 del usuario que podrían transmitirse o descifrarse externamente para obtener más acceso. Esta vulnerabilidad ha sido parcheada en las versiones 2.22.5 y 2.23.2.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-28 CVE Reserved
2023-10-24 CVE Published
2023-11-01 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (3)

URL	Tag	Source
https://github.com/geoserver/geoserver/releases/tag/2.22.5	Release Notes
https://github.com/geoserver/geoserver/releases/tag/2.23.2	Release Notes

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf	2023-10-31

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Osgeo Search vendor "Osgeo"		Geoserver Search vendor "Osgeo" for product "Geoserver"				< 2.22.5 Search vendor "Osgeo" for product "Geoserver" and version " < 2.22.5"		-		Affected
Osgeo Search vendor "Osgeo"		Geoserver Search vendor "Osgeo" for product "Geoserver"				>= 2.23.0 < 2.23.2 Search vendor "Osgeo" for product "Geoserver" and version " >= 2.23.0 < 2.23.2"		-		Affected