CVE-2023-25158

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-25158
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25158.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-25158
Aliases
Published
2023-02-21T20:57:47.754Z
Modified
2025-12-04T23:41:25.408193Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Unfiltered SQL Injection in Geotools
Details

GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable encode functions for PostGIS DataStores or enable prepared statements for JDBCDataStores as a partial mitigation.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25158.json",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/geotools/geotools

Affected ranges

Type
GIT
Repo
https://github.com/geotools/geotools
Events
Introduced
93b0abe9bc755432862825e19306e8b8e7114c2d
Fixed
558cedba96f8d4c593a362982ce55b7a9e6942dc
Database specific 
{
    "versions": [
        {
            "introduced": "28.0"
        },
        {
            "fixed": "28.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/geotools/geotools
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8bde28f7a6349355ea46a4fc3b9196fbafbee7d9
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "27.4"
        }
    ]
}