CVE-2023-25157

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.21.4 GeoServer versions prior to 2.22.2 GeoServer versions prior to 2.20.7 GeoServer versions prior to 2.19.7 GeoServer versions prior to 2.18.7

Description The issue is related to SQL injection vulnerabilities in GeoServer, which allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. The vulnerabilities arise from insufficient sanitization of user input in the CQL FILTER parameter of WFS and WMS protocols. This can be exploited by sending specially crafted requests to the "GET /geoserver/ows" endpoint. Vulnerable functions include

strEndsWith

,

strStartsWith

, and

PropertyIsLike

.

Recommendations To resolve the issue, upgrade to version 2.21.4 or version 2.22.2. For versions prior to 2.20.7, upgrade to version 2.20.7. For versions prior to 2.19.7, upgrade to version 2.19.7. For versions prior to 2.18.7, upgrade to version 2.18.7. As a temporary workaround, consider disabling the PostGIS Datastore encode functions setting to mitigate

strEndsWith

,

strStartsWith

and

PropertyIsLike

misuse. Enable the PostGIS DataStore preparedStatements setting to mitigate the

FeatureId

misuse.