CVE-2023-41339 HIGH

CVE-2023-41339: Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF in GeoServer

Vendor Geoserver
Product geoserver
Weakness CWE-918 · SSRF
Published October 24, 2023
Last update September 11, 2024
View on NVD All CVEs

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.

Key dates

02Disclosure timeline

October 24, 2023 CVE published
September 11, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-4366 Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak CVE-2026-39845 Weblate: SSRF via the webhook add-on using unprotected fetch_url() CVE-2026-41905 FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access CVE-2025-0188 SSRF in gaizhenbiao/chuanhuchatgpt CVE-2024-51665 WordPress Magical Addons For Elementor plugin <= 1.2.1 - Server Side Request Forgery (SSRF) vulnerability