Unfiltered SQL Injection Vulnerabilities in Geoserver
Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate `strEndsWith, strStartsWith and PropertyIsLike misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the FeatureId` misuse.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geoserver.community:gs-jdbcconfigMaven | < 2.21.4 | 2.21.4 |
org.geoserver.community:gs-jdbcconfigMaven | >= 2.22.0, < 2.22.2 | 2.22.2 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-7g5f-wrx8-5ccfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25157ghsaADVISORY
- github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1dghsax_refsource_MISCWEB
- github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.