CVE-2023-43795

2023-10-2518:17:32

CWE-918

[email protected]

web.nvd.nist.gov

geoserver

cve-2023-43795

nvd

vulnerability

patch

java

ogc

wps

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

0.136 Low

EPSS

Percentile

95.7%

JSON

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.

Affected configurations

Vulners

NVD

Node

geoservergeoserverRange<2.22.5

geoservergeoserverRange2.23.0–2.23.2

VendorProductVersionCPE
geoservergeoserver*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
geoservergeoserver*cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
geoserver	geoserver	*	cpe:2.3:a:geoserver:geoserver::::::::
geoserver	geoserver	*	cpe:2.3:a:geoserver:geoserver::::::::

CNA Affected

[
  {
    "vendor": "geoserver",
    "product": "geoserver",
    "versions": [
      {
        "version": "< 2.22.5",
        "status": "affected"
      },
      {
        "version": ">= 2.23.0, < 2.23.2",
        "status": "affected"
      }
    ]
  }
]