SQL Injection Affecting org.geotools:gt-jdbc package, versions [,27.5)[28-RC,28.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.18% (56th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about SQL Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGGEOTOOLS-3329307
  • published22 Feb 2023
  • disclosed22 Feb 2023
  • creditSteve Ikeoka

Introduced: 22 Feb 2023

CVE-2023-25158  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade org.geotools:gt-jdbc to version 27.5, 28.3 or higher.

Overview

Affected versions of this package are vulnerable to SQL Injection when executing OGC Filters with JDBCDataStore implementations.

Vulnerable Components:

  1. PropertyIsLike filter

  2. strEndsWith function

  3. strStartsWith function

  4. FeatureId filter

  5. jsonArrayContains function

  6. DWithin filter

Workaround

Users unable to upgrade should disable encode functions for PostGIS DataStores or enable prepared statements for JDBCDataStores as a partial mitigation.

References

CVSS Scores

version 3.1