Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer
CVE-2023-41339

8.6HIGH

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 25 October 2023

What is CVE-2023-41339?

GeoServer, a widely used open-source server for geospatial data, has a vulnerability due to improper handling of the sld=<url> parameter in WMS requests. When dynamic styling is enabled without proper URL validation, it exposes the system to server-side request forgery attacks. This could allow an attacker to steal sensitive NetNTLMv2 hashes from users, potentially leading to unauthorized access if relayed or cracked. It is crucial for users to upgrade to the patched versions, 2.22.5 or 2.23.2, to mitigate this risk.

Affected Version(s)

geoserver < 2.22.5 < 2.22.5

geoserver >= 2.23.0, < 2.23.2 < 2.23.0, 2.23.2

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/releases/tag/2.22.5

x_refsource_MISC

https://github.com/geoserver/geoserver/releases/tag/2.23.2

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Aug 28, 2023

Geoserver

What is CVE-2023-41339?

Affected Version(s)

References

CVSS V3.1

Timeline