CVE-2023-26043

Name of the Vulnerable Software and Affected Versions GeoNode versions prior to 4.0.3

Description GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer, leading to Arbitrary File Read. The issue arises from the dataset style upload view, which allows users to upload new styles for datasets. The extract name from sld function uses a default XMLParser with the resolve entities flag set to True, allowing the parsing of external entities. This enables an attacker to upload a malicious SLD file, potentially leading to the disclosure of sensitive information. The vulnerability can be exploited by sending a crafted request to the /gs/geonode:<DATASET NAME>/style/upload endpoint with a malicious SLD file.

Recommendations For versions prior to 4.0.3, update to version 4.0.3 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the style upload functionality or disabling the dataset style upload view until a patch is applied. Additionally, restrict access to the extract name from sld function to minimize the risk of exploitation.