{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-43795", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-09-22T14:51:42.339Z", "datePublished": "2023-10-24T22:14:30.956Z", "dateUpdated": "2023-10-24T22:14:30.956Z"}, "containers": {"cna": {"title": "WPS Server Side Request Forgery in GeoServer", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956"}], "affected": [{"vendor": "geoserver", "product": "geoserver", "versions": [{"version": "< 2.22.5", "status": "affected"}, {"version": ">= 2.23.0, < 2.23.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-10-24T22:14:30.956Z"}, "descriptions": [{"lang": "en", "value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2."}], "source": {"advisory": "GHSA-5pr3-m5hm-9956", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BB82E9C-10E3-41B9-AA40-80D45DC3989F", "versionEndExcluding": "2.22.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "765C2F28-6A4F-42C4-AA52-D984D0F2F0A6", "versionEndExcluding": "2.23.2", "versionStartIncluding": "2.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2."}, {"lang": "es", "value": "GeoServer es un servidor de software de c\u00f3digo abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. La especificaci\u00f3n del Servicio de procesamiento web (WPS) de OGC est\u00e1 dise\u00f1ada para procesar informaci\u00f3n de cualquier servidor mediante solicitudes GET y POST. Esto presenta la oportunidad de falsificar solicitudes del lado del servidor. Esta vulnerabilidad ha sido parcheada en las versiones 2.22.5 y 2.23.2."}], "id": "CVE-2023-43795", "lastModified": "2023-11-01T16:19:00.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-10-25T18:17:32.180", "references": [{"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}