CVE-2023-25157

Published Feb 21, 2023

Last updated a year ago

CVSS critical 9.8

Overview

Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
Source
security-advisories@github.com
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

nvd@nist.gov
CWE-89
security-advisories@github.com
CWE-89

Social media

Hype score
Not currently trending

  1. CVE-2023-25157 - GeoServer SQL Injection vulnerabilities arise from insufficient sanitization of user input in the CQL_FILTER parameter of WFS and WMS protocols https://t.co/Fwiz8YDlBC

    @0x3n0

    25 Jan 2025

    162 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. As most CVEs we track decrease in scanning, we notice a spike in the scanning of CVE-2023-25157, a critical vulnerability in the GeoServer software project. Review our summary to see what other trends we spotted. https://t.co/ykgZspcIY2 #F5Labs #IoT https://t.co/JJAzuH5hsv

    @F5Labs

    20 Nov 2024

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References