CVE-2024-40625: Coverage REST API Server Side Request Forgery
5.5
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.geoserver:gs-rest | maven | < 2.26.0 | 2.26.0 |
| org.geoserver.web:gs-web-app | maven | < 2.26.0 | 2.26.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability lies in the Coverage REST API, specifically when uploading a file using the 'url' method. The provided description clearly identifies RESTUtils.java and a specific line (176 in the linked version) as containing the vulnerable code. This line is within the getRemoteSource method. The vulnerability occurs because this method takes a user-supplied URL (sourceURLValue) and uses it to fetch data without adequate validation, as recommended by GeoServer's URL Checks feature (URLCheckers.confirm(fileURL)). An attacker can craft a malicious URL to make the server perform unintended requests to internal or external services, which is characteristic of an SSRF vulnerability. The getRemoteSource function in org.geoserver.rest.util.RESTUtils is directly responsible for handling this URL and is therefore the vulnerable function. The patch would involve adding the URLCheckers.confirm() call within this function to validate the URL before it's used.