CVE-2023-41339

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.22.5 GeoServer versions prior to 2.23.2 GeoServer version 2.10.3 GeoServer version 2.11.1

Description The issue concerns the use of dynamic styles in GeoServer, which can lead to Service Side Request Forgery. This is possible when dynamic styles are enabled without configuring URL checks, allowing an attacker to steal user NetNTLMv2 hashes. These hashes could be relayed or cracked externally to gain further access. The vulnerability can be exploited through the WMS endpoint, specifically using the sld=<url> parameter in GetMap, GetLegendGraphic, and GetFeatureInfo operations.

Recommendations For GeoServer version 2.10.3 and 2.11.1, disable dynamic styling by navigating to Services > WMS Settings, locating the Dynamic styling heading, and selecting the Disable usage of SLD and SLD BODY parameters in GET requests and user styles in POST checkbox. For GeoServer versions 2.22.5 and 2.23.2, enable URL Checks by navigating to Security > URL Checks, enabling the URL Checks are enabled setting, and configuring trusted locations according to the user manual. For GeoServer version 2.24.0 and later, use of dynamic styling safely is enabled by default, so no additional actions are required.