CVE-2023-25157 CRITICAL

CVE-2023-25157: Unfiltered SQL Injection Vulnerabilities in Geoserver

Vendor Geoserver

Product geoserver

Weakness CWE-89 · SQLi

Published February 21, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

Key dates

02Disclosure timeline

February 21, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-25157

Related vulnerabilities

Identifiers

CVE CVE-2023-25157

CWE CWE-89

CVSS 9.8 / CRITICAL

Affected versions

Vendor Geoserver

Product geoserver

Affected >= 2.22.0, < 2.22.2

Vendor Geoserver

Product geoserver

Affected < 2.21.4

CVE-2023-25157: Unfiltered SQL Injection Vulnerabilities in Geoserver

01Description

02Disclosure timeline

03References

04Related CVE