Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcXBjLXgyYzYtMmdtZs4AA2oS
Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF
Summary
The WMS specification defines an sld=<url> parameter for GetMap, GetLegendGraphic and GetFeatureInfo operations for user supplied "dynamic styling". Enabling the use of dynamic styles, without also configuring URL checks, provides the opportunity for Service Side Request Forgery.
It is possible to use this for "Blind SSRF" on the WMS endpoint to steal NetNTLMv2 hashes via file requests to malicious servers.
Details
This vulnerability requires:
- WMS Settings dynamic styling being enabled
- Security URL checks to be disabled, or to be enabled and allowing
file:\\*access
Impact
This vulnerability can be used to steal user NetNTLMv2 hashes which could be relayed or cracked externally to gain further access.
Mitigation
The ability to reference an external URL location is defined by the WMS standard GetMap, GetFeatureInfo and GetLegendGraphic operations. These operations are defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.
To disable dynamic styling on GeoServer 2.10.3 and GeoServer 2.11.1:
- Navigate to Services > WMS Settings page
- Locate Dynamic styling heading
- Select the Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST checkbox.
Resolution
To allow dynamic styling safely on GeoServer 2.22.5 and GeoServer 2.23.2:
- Navigate to Security > URL Checks
- Enable URL Checks are enabled setting
- Check the user manual for examples of how to trust specific locations:
^https://styles\.server\.net/cartography/.*$ - Enable dynamic styling on the Services > WMS Settings page, deselect the Disable usage of SLD and SLD_BODY parameters in GET requests and user styles in POST checkbox.
Use of dynamic styling safely is on by default in GeoServer 2.24.0.
References
- Disabling usage of dynamic styling in GetMap, GetFeatureInfo and GetLegendGraphic requests
- URL Checks
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcXBjLXgyYzYtMmdtZs4AA2oS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 2 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-cqpc-x2c6-2gmf, CVE-2023-41339
References:
- https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf
- https://nvd.nist.gov/vuln/detail/CVE-2023-41339
- https://github.com/geoserver/geoserver/releases/tag/2.22.5
- https://github.com/geoserver/geoserver/releases/tag/2.23.2
- https://github.com/advisories/GHSA-cqpc-x2c6-2gmf
Blast Radius: 1.0
Affected Packages
maven:org.geoserver.web:gs-web-app
Affected Version Ranges: >= 2.23.0, < 2.23.2, < 2.22.5Fixed in: 2.23.2, 2.22.5
maven:org.geoserver:gs-wms
Affected Version Ranges: >= 2.23.0, < 2.23.2, < 2.22.5Fixed in: 2.23.2, 2.22.5