CVE-2023-43795 HIGH

CVE-2023-43795: WPS Server Side Request Forgery in GeoServer

Vendor Geoserver

Product geoserver

Weakness CWE-918 · SSRF

Published October 24, 2023

Last update September 17, 2024

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.

Key dates

02Disclosure timeline

October 24, 2023 CVE published

September 17, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-43795 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/918.html

Related vulnerabilities

Identifiers

CVE CVE-2023-43795

CWE CWE-918

CVSS 8.6 / HIGH

Affected versions

Vendor Geoserver

Product geoserver

Affected < 2.22.5

Vendor Geoserver

Product geoserver

Affected >= 2.23.0, < 2.23.2

CVE-2023-43795: WPS Server Side Request Forgery in GeoServer

01Description

02Disclosure timeline

03References

04Related CVE