GeoServer has a Server-Side Request Forgery (SSRF) Vulnerability in its XML Entity Resolution
🔗 CVE IDs covered (1)
📋 Description
Summary
A GeoServer that uses ENTITY_RESOLUTION_ALLOWLIST may allow attacker to perform unauthenticated Server-Side Request Forgery (SSRF).
Details
This vulnerability requires that GeoServer is set up to use a proxy base URL and the ENTITY_RESOLUTION_ALLOWLIST (default since 2.25.0):
Impact
This vulnerability allows an attacker to cause GeoServer to make requests to an unintended location.
Workaround
GeoServer installations are only affected by this vulnerability if they use a proxy base URL that does not contain a URL path or end with a slash (e.g., https://somesite.org instead of https://somesite.org/ or https://somesite.org/geoserver). If the proxy base URL does not contain a path, adding a slash to the end of the URL will mitigate this vulnerability.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11867 https://github.com/geoserver/geoserver/pull/8622
Credits:
- Le Mau Anh Phong at Verichains Cyber Force
🎯 Affected products4
- maven/org.geoserver.web:gs-web-app:<= 2.26.3
- maven/org.geoserver:gs-main:<= 2.26.3
- maven/org.geoserver:gs-main:>= 2.27.0, <= 2.27.2
- maven/org.geoserver.web:gs-web-app:>= 2.27.0, <= 2.27.2