GeoServer Improper URI Validation Vulnerability Leading to XML External Entity Attack

A vulnerability in GeoServer prior to version 2.25.0 allows unauthorized attackers to perform XML External Entity (XEE) attacks by exploiting improper URI validation. This vulnerability enables attackers to send GET requests to any HTTP server, potentially scanning internal networks for information that could be further exploited. Additionally, attackers could read limited .xsd files from the system. By default, GeoServer uses the PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before they are resolved. However, the default regex validation allows for exploitation by leaving a chance to request any HTTP server or limited file. GeoServer versions 2.25.0 and greater have improved this validation by defaulting to the use of ENTITY_RESOLUTION_ALLOWLIST, eliminating the need for manual configuration.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to conduct server-side request forgery (SSRF) attacks, targeting internal networks and endpoints that handle .xsd files, while also reading certain .xsd files from the system.

Remediation

Users can upgrade to GeoServer version 2.25.0 or later, which defaults to a more secure ENTITY_RESOLUTION_ALLOWLIST. For versions prior to 2.25.0, the ENTITY_RESOLUTION_ALLOWLIST can be manually defined to limit external schema locations. The GeoServer user guide provides details on how to add additional locations if needed.