CVE-2023-25157

Published: Feb 21, 2023

Modified: Mar 10, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

Vendor	Product	Versions
geoserver	geoserver	affected `>= 2.22.0, < 2.22.2` affected `< 2.21.4`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-25157

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References