Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer
CVE-2023-41339

8.6HIGH

Key Information:

Vendor

Geoserver

Status
Vendor
CVE Published:
25 October 2023

What is CVE-2023-41339?

GeoServer, a widely used open-source server for geospatial data, has a vulnerability due to improper handling of the sld=<url> parameter in WMS requests. When dynamic styling is enabled without proper URL validation, it exposes the system to server-side request forgery attacks. This could allow an attacker to steal sensitive NetNTLMv2 hashes from users, potentially leading to unauthorized access if relayed or cracked. It is crucial for users to upgrade to the patched versions, 2.22.5 or 2.23.2, to mitigate this risk.

Affected Version(s)

geoserver < 2.22.5 < 2.22.5

geoserver >= 2.23.0, < 2.23.2 < 2.23.0, 2.23.2

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.