CVE-2023-40017

Name of the Vulnerable Software and Affected Versions GeoNode versions 3.2.0 through 4.1.2

Description The issue concerns a server-side request forgery problem in GeoNode. Specifically, the endpoint /proxy/?url= does not properly protect against this type of attack, allowing an attacker to port scan internal hosts and request information from them. This can be exploited by using specific URL formats, such as /proxy/?url=http://169.254.169.254@whitelistedIPhere, to determine if an internal host is alive. Additionally, an attacker can use a hashfrag on the URL, like /proxy/?url=http://169.254.169.254@#whitelisteddomain.com or /proxy/?url=http://169.254.169.254@%23whitelisteddomain.com, to display metadata.

Recommendations For GeoNode versions 3.2.0 through 4.1.2, apply the patch available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9 to resolve the issue. As a temporary workaround, consider restricting access to the /proxy/?url= endpoint until the patch is applied.