Jodygarnett

**Name of the Vulnerable Software and Affected Versions** GeoNetwork versions prior to 4.2.10 GeoNetwork versions prior to 4.4.5 **Description** The search endpoint response headers in GeoNetwork contain information about the Elasticsearch software in use, allowing the software used by the server to be easily identified. This information is valuable from a security point of view. **Recommendations** For versions prior to 4.2.10, update to version 4.2.10 or later to fix the issue. For versions prior to 4.4.5, update to version 4.4.5 or later to fix the issue.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.26.0 **Description** GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions, the welcome and about page includes version and revision information about the software in use, including library and components used. This information is sensitive from a security point of view because it allows software used by the server to be easily identified. **Recommendations** For versions prior to 2.26.0, upgrade to version 2.26.0 to resolve the issue. As a temporary workaround, consider disabling the ADMIN CONSOLE completely.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.22.5 GeoServer versions prior to 2.23.2 GeoServer version 2.20.5 GeoServer version 2.21.0 **Description** The OGC Web Processing Service (WPS) specification in GeoServer allows processing of information from any server using GET and POST requests, presenting an opportunity for Server Side Request Forgery (SSRF). This issue requires the WPS extension to be installed, the WPS security setting "Disable complex inputs" to be unselected, and security URL checks to be disabled. The vulnerability has been patched in versions 2.22.5 and 2.23.2. **Recommendations** For GeoServer 2.20.5 and GeoServer 2.21.0: To disable complex remote inputs, navigate to Security > WPS Security page, locate the Complex Inputs heading, and select the check box for Disable loading complex inputs from remote references. For GeoServer 2.22.5 and GeoServer 2.23.2: To allow processing of complex inputs safely, navigate to Security > URL Checks, enable URL Checks, and check the user manual for examples of how to trust specific locations for external services. For GeoServer 2.24.0 and later: No action is required as processing of complex inputs safely is enabled by default.

**Name of the Vulnerable Software and Affected Versions** GeoTools versions prior to 27.4 GeoTools versions prior to 28.2 **Description** GeoTools is an open source Java library that provides tools for geospatial data. It includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. The issue affects various filter and function implementations, including `PropertyIsLike`, `strEndsWith`, `strStartsWith`, `FeatureId`, `jsonArrayContains`, and `DWithin`. **Recommendations** To resolve the issue, upgrade to either version 27.4 or 28.2. As a temporary workaround, consider disabling `encode functions` for PostGIS DataStores. Alternatively, enable `prepared statements` for JDBCDataStores as a partial mitigation. For PostGIS DataStore, set `preparedStatements` to `true` and `encode functions` to `false` in the data store parameters to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.21.4 GeoServer versions prior to 2.22.2 GeoServer versions prior to 2.20.7 GeoServer versions prior to 2.19.7 GeoServer versions prior to 2.18.7 **Description** The issue is related to SQL injection vulnerabilities in GeoServer, which allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. The vulnerabilities arise from insufficient sanitization of user input in the CQL FILTER parameter of WFS and WMS protocols. This can be exploited by sending specially crafted requests to the "GET /geoserver/ows" endpoint. Vulnerable functions include `strEndsWith`, `strStartsWith`, and `PropertyIsLike`. **Recommendations** To resolve the issue, upgrade to version 2.21.4 or version 2.22.2. For versions prior to 2.20.7, upgrade to version 2.20.7. For versions prior to 2.19.7, upgrade to version 2.19.7. For versions prior to 2.18.7, upgrade to version 2.18.7. As a temporary workaround, consider disabling the PostGIS Datastore *encode functions* setting to mitigate `strEndsWith`, `strStartsWith` and `PropertyIsLike` misuse. Enable the PostGIS DataStore *preparedStatements* setting to mitigate the `FeatureId` misuse.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.21.0 GeoServer versions prior to 2.20.4 GeoServer versions prior to 1.19.6 **Description** The GeoServer security mechanism can perform an unchecked JNDI lookup, which can be used to perform class deserialization and result in arbitrary code execution. This can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. To exploit this, an attack needs to have obtained admin rights and use either the GeoServer GUI or its REST API. **Recommendations** For versions prior to 2.21.0, restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 2.20.4, restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 1.19.6, restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.