GeoServer and GeoNetwork XML External Entity Processing Vulnerability in WFS Service

A vulnerability allowing XML External Entity (XXE) processing attacks has been identified in GeoServer and GeoNetwork. This issue arises from the GeoTools library's handling of external XML schemas, which can be exploited to read arbitrary files from the server or perform Server-Side Request Forgery (SSRF) attacks. The vulnerability affects GeoServer versions 2.27.0, 2.26.0 through 2.26.2, and 2.25.6, as well as GeoNetwork versions 4.4.0 through 4.4.7 and 4.2.0 through 4.2.12.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to read sensitive files from the server's filesystem, such as configuration files and credentials, and to conduct SSRF attacks by forcing GeoServer to make HTTP requests to arbitrary URLs.

Reproduction

The vulnerability can be reproduced by sending a WFS request that includes a reference to an external XML schema. The GeoServer or GeoNetwork instance must be running a vulnerable version and the WFS service must be exposed without authentication.

Remediation

Users can update to GeoServer versions 2.27.1, 2.26.3, or 2.25.7, and GeoNetwork versions 4.4.8 or 4.2.13. For GeoNetwork, WFS Index functionality can be disabled by removing the 'gn-wfsfeature-harvester' and 'gn-camelPeriodicProducer' jars.