GeoServer Unauthenticated Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in GeoServer versions 2.0.0 prior to 2.24.4 and 2.25.0 prior to 2.25.2. The vulnerability exists in the Demo request endpoint of the GeoServer web application, specifically within the 'gs-app' and 'gs-wfs' packages. If the Proxy Base URL has not been set, an unauthenticated user can exploit this vulnerability by sending a request that the server will process and forward. This could potentially allow the attacker to access internal networks or, in cloud environments, retrieve sensitive data.

Impact

Exploitation of this vulnerability allows for unauthenticated server-side request forgery, enabling attackers to make requests from the server to internal resources or external services, potentially leading to the exposure of sensitive data or internal network enumeration.

Remediation

Users can upgrade to GeoServer versions 2.24.4 or 2.25.2 to address this vulnerability, as these versions remove the vulnerable 'TestWfsPost' servlet. For users managing GeoServer with a proxy, it is recommended to set a non-empty Proxy Base URL that cannot be overridden through the user interface or incoming requests. Users running GeoServer without a proxy should block access to the 'TestWfsPost' endpoint by adding a security constraint in the 'web.xml' file.