CVE-2023-25157

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25157

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25157.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25157

Aliases

GHSA-7g5f-wrx8-5ccf

Published

2023-02-21T22:15:10Z

Modified

2024-05-30T04:02:14.808711Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith and PropertyIsLike misuse and enable the PostGIS DataStore preparedStatements setting to mitigate the FeatureId misuse.

References

Affected packages

Git / github.com/geoserver/geoserver

Affected ranges

Type: GIT
Repo: https://github.com/geoserver/geoserver
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

145a8af798590288d270b240235e89c8f0b62e1d

Affected versions

2.*

2.11-beta

2.21-M0