SQL Injection Affecting org.geoserver.community:gs-jdbcconfig package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGGEOSERVERCOMMUNITY-3329428
- published 22 Feb 2023
- disclosed 22 Feb 2023
- credit sikeoka
Introduced: 22 Feb 2023
CVE-2023-25157 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
org.geoserver.community:gs-jdbcconfig is a GeoServer Catalog configuration management in a databse.
Affected versions of this package are vulnerable to SQL Injection due to improper escape of user input. Exploiting this vulnerability is possible via the followings:
PropertyIsLike
filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabledstrStartsWith
function, when used with a PostGIS DataStore with encode functions enabledFeatureId
filter, when used with any database table having a String primary key column and when prepared statements are disabledjsonArrayContains
function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)DWithin
filter, when used with an Oracle DataStore
Workarounds:
Disabling the PostGIS Datastore encode functions setting to mitigate strEndsWith
, strStartsWith
vulnerabilities (Like filters have no mitigation, if there is a string field in the feature type published).
Enabling the PostGIS DataStore preparedStatements
setting to mitigate the FeatureId
vulnerability.