9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.136 Low
EPSS
Percentile
95.7%
The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests.
This presents the opportunity for Server Side Request Forgery.
This vulnerability requires:
This vulnerability presents the opportunity for Server Side Request Forgery.
The ability to reference an external URL location is defined by the WPS standard Execute operation. This operations is defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.
To disable complex remote inputs on GeoServer 2.20.5 and GeoServer 2.21.0:
To allow processing of complex inputs safely in GeoServer 2.22.5 and GeoServer 2.23.2:
Processing of complex inputs safely is on by default in GeoServer 2.24.0.
CPE | Name | Operator | Version |
---|---|---|---|
org.geoserver.extension:gs-wps-core | lt | 2.23.2 | |
org.geoserver.extension:gs-wps-core | lt | 2.22.5 |