CVE-2023-25158

Name of the Vulnerable Software and Affected Versions GeoTools versions prior to 27.4 GeoTools versions prior to 28.2

Description GeoTools is an open source Java library that provides tools for geospatial data. It includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. The issue affects various filter and function implementations, including PropertyIsLike, strEndsWith, strStartsWith, FeatureId, jsonArrayContains, and DWithin.

Recommendations To resolve the issue, upgrade to either version 27.4 or 28.2. As a temporary workaround, consider disabling encode functions for PostGIS DataStores. Alternatively, enable prepared statements for JDBCDataStores as a partial mitigation. For PostGIS DataStore, set preparedStatements to true and encode functions to false in the data store parameters to mitigate the issue.