CVE-2023-42439

Name of the Vulnerable Software and Affected Versions GeoNode versions 3.2.0 through 4.1.3

Description A SSRF vulnerability exists, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. The application is using a whitelist, but the whitelist can be bypassed with @ or %40. For example, a GET request to /proxy/?url=http://development.demo.geonode.org%40geoserver:8080/geoserver/web will trick the application that the first host is a whitelisted address, but the browser will use @ or %40 as a credential to the host geoserver on port 8080, returning the data to that host on the response.

Recommendations For versions 3.2.0 through 4.1.3, update to version 4.1.3.post1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /proxy/ API endpoint until a patch is available. Avoid using the url parameter in the affected API endpoint with @ or %40 characters until the issue is resolved.