Buffer overflow in the msTmpFile function in maputil.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 allows local users to cause a denial of service via vectors involving names of temporary files.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 5.4.0 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 5.4.1 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| umn | mapserver | 4.0 |
| osgeo | mapserver | 4.10.2 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
mapserv.c in mapserv in MapServer before 4.10.6 and 5.x before 5.6.4 does not properly restrict the use of CGI command-line arguments that were intended for debugging, which allows remote attackers to have an unspecified impact via crafted arguments.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 5.4.0 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 5.4.1 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| umn | mapserver | 4.0 |
| osgeo | mapserver | 4.10.2 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
Multiple SQL injection vulnerabilities in MapServer before 4.10.7, 5.x before 5.6.7, and 6.x before 6.0.1 allow remote attackers to execute arbitrary SQL commands via vectors related to (1) OGC filter encoding or (2) WMS time support.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| osgeo | mapserver | 5.4.0 |
| umn | mapserver | 5.2.2 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| umn | mapserver | 5.6.5 |
| umn | mapserver | 5.6.6 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
| umn | mapserver | 5.2.3 |
| umn | mapserver | 5.6.4 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 4.10.5 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 5.4.1 |
| umn | mapserver | 6.0.0 |
| osgeo | mapserver | 4.10.2 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.6.3 |
Stack-based buffer overflow in MapServer before 4.10.7 and 5.x before 5.6.7 allows remote attackers to execute arbitrary code via vectors related to OGC filter encoding.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| osgeo | mapserver | 5.4.0 |
| umn | mapserver | 5.2.2 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| umn | mapserver | 5.6.5 |
| umn | mapserver | 5.6.6 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
| umn | mapserver | 5.2.3 |
| umn | mapserver | 5.6.4 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 4.10.5 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 5.4.1 |
| osgeo | mapserver | 4.10.2 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.6.3 |
Double free vulnerability in the msAddImageSymbol function in mapsymbol.c in MapServer before 6.0.1 might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact via crafted mapfile data.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| umn | mapserver | 5.6.7 |
| osgeo | mapserver | 5.4.0 |
| umn | mapserver | 5.2.2 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| umn | mapserver | 5.6.5 |
| umn | mapserver | 5.6.6 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
| umn | mapserver | 5.2.3 |
| umn | mapserver | 5.6.4 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 4.10.5 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 5.4.1 |
| umn | mapserver | 6.0.0 |
| osgeo | mapserver | 4.10.2 |
| umn | mapserver | 4.10.7 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.6.3 |
SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 4.8.0 |
| osgeo | mapserver | * |
| osgeo | mapserver | 4.2.0 |
| umn | mapserver | 5.6.7 |
| osgeo | mapserver | 5.4.0 |
| osgeo | mapserver | 5.2.0 |
| osgeo | mapserver | 5.6.0 |
| osgeo | mapserver | 6.0.1 |
| osgeo | mapserver | 4.4.0 |
| osgeo | mapserver | 4.10.4 |
| osgeo | mapserver | 5.2.1 |
| osgeo | mapserver | 5.6.1 |
| umn | mapserver | 5.2.3 |
| osgeo | mapserver | 4.10.1 |
| osgeo | mapserver | 4.10.0 |
| osgeo | mapserver | 6.0.3 |
| osgeo | mapserver | 4.10.3 |
| osgeo | mapserver | 4.10.5 |
| osgeo | mapserver | 6.0.2 |
| osgeo | mapserver | 6.2.1 |
| osgeo | mapserver | 5.4.2 |
| osgeo | mapserver | 4.6.0 |
| osgeo | mapserver | 6.2.0 |
| osgeo | mapserver | 5.4.1 |
| umn | mapserver | 6.0.0 |
| osgeo | mapserver | 4.10.2 |
| osgeo | mapserver | 5.0.0 |
| osgeo | mapserver | 5.6.3 |
In MapServer before 7.0.3, OGR driver error messages are too verbose and may leak sensitive information if data connection fails.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | * |
Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6.2.4, 6.4.x before 6.4.5, and 7.0.x before 7.0.4 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving WFS get feature requests.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 6.2.2 |
| osgeo | mapserver | * |
| osgeo | mapserver | 7.0.0 |
| debian | debian_linux | 8.0 |
| osgeo | mapserver | 6.2.3 |
| osgeo | mapserver | 7.0.1 |
| osgeo | mapserver | 6.2.1 |
| osgeo | mapserver | 7.0.2 |
| osgeo | mapserver | 6.4.4 |
| osgeo | mapserver | 6.2.0 |
| osgeo | mapserver | 7.0.3 |
| osgeo | mapserver | 6.4.1 |
| osgeo | mapserver | 6.4.3 |
| osgeo | mapserver | 6.4.2 |
| osgeo | mapserver | 6.4.0 |
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-415,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 30 |
| oracle | spatial_and_graph | 19c |
| oracle | spatial_and_graph | 12.2.0.1 |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| fedoraproject | fedora | 31 |
| opensuse | backports_sle | 15.0 |
| debian | debian_linux | 10.0 |
| osgeo | gdal | * |
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-190,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| libtiff | libtiff | * |
| osgeo | gdal | * |
netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow in nc4_get_att (called from nc4_get_att_tc and nc_get_att_text) and in uffd_cleanup (called from netCDFDataset::~netCDFDataset and netCDFDataset::~netCDFDataset).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | gdal | * |
A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geonetwork | * |
| osgeo | geonetwork | 4.0.0 |
MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x before 7.4.5, and 7.5.x and 7.6.x before 7.6.3 does not properly enforce the MS_MAP_NO_PATH and MS_MAP_PATTERN restrictions that are intended to control the locations from which a mapfile may be loaded (with MapServer CGI).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | * |
| fedoraproject | fedora | 34 |
| fedoraproject | fedora | 33 |
An XML external entity (XXE) injection in PyWPS before 4.4.5 allows an attacker to view files on the application server filesystem by assigning a path to the entity. OWSLib 0.24.1 may also be affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | pywps | * |
| debian | debian_linux | 9.0 |
| osgeo | owslib | 0.24.1 |
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-918,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::CPCIDSKFile::ReadFromFile (called from PCIDSK::CPCIDSKSegment::ReadFromFile and PCIDSK::CPCIDSKBinarySegment::CPCIDSKBinarySegment).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | spatial_and_graph | 19c |
| debian | debian_linux | 11.0 |
| fedoraproject | fedora | 35 |
| fedoraproject | fedora | 34 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| osgeo | gdal | * |
| oracle | spatial_and_graph | 21c |
A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | shapelib | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-917,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| disclosure@vulncheck.com | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geonetwork | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| security-advisories@github.com | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geonode | * |
OWSLib is a Python package for client programming with Open Geospatial Consortium (OGC) web service interface standards, and their related content models. OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. This issue has been addressed in version 0.28.1. All users are advised to upgrade. The only known workaround is to patch the library manually. See `GHSA-8h9c-r582-mggc` for details.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L | 3.9 | 4.2 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | owslib | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The WMS specification defines an ``sld=<url>`` parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery. This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access. This vulnerability has been patched in versions 2.22.5 and 2.23.2.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | 3.9 | 4.7 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 8.6 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L | 3.9 | 4.7 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 9.3 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N | 3.9 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L | 1.2 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
Buffer Overflow vulnerability in gdal 3.10.2 allows a local attacker to cause a denial of service via the OGRSpatialReference::Release function. NOTE: the Supplier indicates that the report is invalid and could not be reproduced.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | gdal | 3.10.2 |
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geoserver | * |
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| security-advisories@github.com | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L | 3.9 | 5.3 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | geonetwork | * |
| osgeo | geoserver | 2.27.0 |
| osgeo | geoserver | * |
| geotools | geotools | * |
| geotools | geotools | 33.0 |
MapServer is a system for developing web-based GIS applications. Prior to 8.4.1, the XML Filter Query directive PropertyName is vulnerably to Boolean-based SQL injection. It seems like expression checking is bypassed by introducing double quote characters in the PropertyName. Allowing to manipulate backend database queries. This vulnerability is fixed in 8.4.1.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| osgeo | mapserver | 8.4.0 |