CVE-2023-43795

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.22.5 GeoServer versions prior to 2.23.2 GeoServer version 2.20.5 GeoServer version 2.21.0

Description The OGC Web Processing Service (WPS) specification in GeoServer allows processing of information from any server using GET and POST requests, presenting an opportunity for Server Side Request Forgery (SSRF). This issue requires the WPS extension to be installed, the WPS security setting "Disable complex inputs" to be unselected, and security URL checks to be disabled. The vulnerability has been patched in versions 2.22.5 and 2.23.2.

Recommendations For GeoServer 2.20.5 and GeoServer 2.21.0: To disable complex remote inputs, navigate to Security > WPS Security page, locate the Complex Inputs heading, and select the check box for Disable loading complex inputs from remote references. For GeoServer 2.22.5 and GeoServer 2.23.2: To allow processing of complex inputs safely, navigate to Security > URL Checks, enable URL Checks, and check the user manual for examples of how to trust specific locations for external services. For GeoServer 2.24.0 and later: No action is required as processing of complex inputs safely is enabled by default.