GHSA-68cf-j696-wvv9: GeoServer vulnerable to SSRF in TestWfsPost for specific targets, e.g. PHP + Nginx
7.5
Basic Information
JavaTechnical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.geoserver:gs-wfs | maven | >= 1.0.0, < 2.24.4 | 2.24.4 |
| org.geoserver:gs-wfs | maven | >= 2.25.0, < 2.25.2 | 2.25.2 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability is an SSRF in the TestWfsPost servlet of GeoServer. The advisory GHSA-68cf-j696-wvv9 and GHSA-5gw5-jccf-6hxw state that this servlet was vulnerable due to missing checks, allowing unauthenticated users to make the server issue requests to arbitrary URLs. The resolution was to remove the TestWfsPost servlet entirely and replace its functionality with a client-side JavaScript implementation.
Commit 0e896df49288a93df272590b163a639b5474c61c (titled '[GEOS-11390] Replace TestWfsPost with Javascript Demo Page') implements this resolution by removing the file src/wfs/src/main/java/org/vfny/geoserver/wfs/servlets/TestWfsPost.java.
The primary methods within this servlet that would be involved in an exploit are:
doGetanddoPost: These are the standard entry points for HTTP requests to the servlet. They would receive the malicious URL from the attacker.processRequest: This method, called bydoGetanddoPost, contained the core logic for handling the user's input (including the target URL) and initiating the outbound HTTP request. This is where the SSRF would occur.validateURL: This method was designed to check the validity of the target URL. The vulnerability implies that this validation was either flawed, incomplete, or could be bypassed, failing to prevent the SSRF.
Since the entire servlet was removed as the fix, all these methods that were part of its request processing and outbound connection logic are considered vulnerable. During exploitation, these methods would appear in a runtime profile or stack trace as they process the malicious input and make the forged request.