Elnimo-00

**Name of the Vulnerable Software and Affected Versions** pygeoapi versions 0.23.0 through 0.23.2 **Description** A raw string path concatenation issue in the STAC FileSystemProvider plugin allows requests to STAC collection based collections to expose directories without authentication. This occurs when the server is deployed without a proxy or web front end to normalize URLs containing `..` values and has a resource of type `stac-collection` defined in the configuration. **Recommendations** Update to version 0.23.3. As a temporary workaround, disable STAC collection based resources in the configuration.

**Name of the Vulnerable Software and Affected Versions** pygeoapi versions 0.23.0 through 0.23.2 **Description** OGC API process execution requests can utilize the `subscriber` object to make requests to internal HTTP services. This allows for unauthorized interaction with internal network resources. **Recommendations** Update to version 0.23.3. As a temporary workaround, disable process based resources in the pygeoapi configuration.