DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157
|Case lead||Max van der Horst|
|Author||Jeroen van de Weerd|
|Last modified||26 Sep 2023 11:50|
GeoServer located a vulnerability in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions. A POC is available.
What you can do
GeoServer advises to install the patch by upgrading to version 2.23.0. If this is not possible, there are a few mitigations available which include disabling the PostGIS Datastore encode functions to mitigate the vulnerabilities in the
strEndsWith parameters and enabling the PostGIS DataStore preparedStatements functionality to mitigate the
FeatureId vulnerability. Note that these mitigations are known to cause significant slowdowns.
What we are doing
DIVD is currently working to identify vulnerable parties and notifying these. We do this by finding GeoServer instances and extracting the version name. Vulnerable parties will receive a notification with remediation steps.
|20 Feb 2023||GeoServer publishes advisory.|
|06 Jun 2023||POC becomes available.|
|07 Jun 2023||DIVD starts researching fingerprint.|
|07 Jun 2023||First version of this casefile.|
|04 Jul 2023||DIVD starts notification round.|
|26 Sep 2023||Case closed.|