Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer
CVE-2023-41339
8.6HIGH
What is CVE-2023-41339?
GeoServer, a widely used open-source server for geospatial data, has a vulnerability due to improper handling of the sld=<url>
parameter in WMS requests. When dynamic styling is enabled without proper URL validation, it exposes the system to server-side request forgery attacks. This could allow an attacker to steal sensitive NetNTLMv2 hashes from users, potentially leading to unauthorized access if relayed or cracked. It is crucial for users to upgrade to the patched versions, 2.22.5 or 2.23.2, to mitigate this risk.
Affected Version(s)
geoserver < 2.22.5 < 2.22.5
geoserver >= 2.23.0, < 2.23.2 < 2.23.0, 2.23.2