9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25157

GHSA ID

GHSA-7g5f-wrx8-5ccf

EPSS Score

0.9985%

CWE

CWE-89

Published

2/22/2023

Updated

2/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-25157

CVE-2023-25157: GeoServer OGC Filter SQL Injection Vulnerabilities

Impact

GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages.

SQL Injection Vulnerabilities have been found with:

PropertyIsLike filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled
strEndsWith function, when used with a PostGIS DataStore with encode functions enabled
strStartsWith function, when used with a PostGIS DataStore with encode functions enabled
FeatureId filter, when used with any database table having a String primary key column and when prepared statements are disabled
jsonArrayContains function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)
DWithin filter, when used with an Oracle DataStore

Patches

GeoSever 2.21.4
GeoServer 2.22.2
GeoServer 2.20.7
GeoServer 2.19.7
GeoServer 2.18.7

Workarounds

Disabling the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith vulnerabilities (Like filters have no mitigation, if there is a string field in the feature type published).
Enabling the PostGIS DataStore preparedStatements setting to mitigate the FeatureId vulnerability.

References

OGC Filter SQL Injection Vulnerabilities (GeoTools)
OGC Filter Injection Vulnerability Statement (GeoServer Blog)

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25157

GHSA ID

GHSA-7g5f-wrx8-5ccf

EPSS Score

0.9985%

CWE

CWE-89

Published

2/22/2023

Updated

2/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.community:gs-jdbcconfig	maven	< 2.21.4	2.21.4
org.geoserver.community:gs-jdbcconfig	maven	>= 2.22.0, < 2.22.2	2.22.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two primary issues: 1) Direct string concatenation in OGC filter handling (particularly PropertyIsLike) without parameterization, visible in the FilterToCatalogSQL.java diff where LIKE patterns were moved to parameterized queries. 2) Unsafe comment generation in debug mode, addressed by the escapeComment() method in Dialect.java. The commit shows these functions were modified to add parameter binding and comment escaping, confirming their vulnerable prior state.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **oS*rv*r in*lu**s support *or t** O** *ilt*r *xpr*ssion l*n*u*** *n* t** O** *ommon Qu*ry L*n*u*** (*QL) *s p*rt o* t** W** ***tur* S*rvi** (W*S) *n* W** M*p S*rvi** (WMS) proto*ols. *QL is *lso support** t*rou** t** W** *ov*r*** S*rvi*

Reasoning

T** vuln*r**ility st*mm** *rom two prim*ry issu*s: *) *ir**t strin* *on**t*n*tion in O** *ilt*r **n*lin* (p*rti*ul*rly Prop*rtyIsLik*) wit*out p*r*m*t*riz*tion, visi*l* in t** `*ilt*rTo**t*lo*SQL.j*v*` *i** w**r* LIK* p*tt*rns w*r* mov** to p*r*m*t*r

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-25157: GeoServer OGC Filter SQL Injection Vulnerabilities

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI