GHSA-99c3-qc2q-p94m

Source

https://github.com/advisories/GHSA-99c3-qc2q-p94m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-99c3-qc2q-p94m/GHSA-99c3-qc2q-p94m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-99c3-qc2q-p94m

Aliases

CVE-2023-25158

Published

2023-02-22T19:16:06Z

Modified

2023-11-08T04:11:50.640650Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

GeoTools OGC Filter SQL Injection Vulnerabilities

Details

Impact

GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.

SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:

PropertyIsLike filter
- Requires PostGIS DataStore with "encode functions" enabled
- Or any JDBCDataStore (all relational databases) with String field (no mitigation)
strEndsWith function
- Requires PostGIS DataStore with "encode functions" enabled
strStartsWith function
- Requires PostGIS DataStore with "encode functions" enabled
FeatureId filter
- Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)
jsonArrayContains function
- Requires PostGIS and Oracle DataStore with String or JSON field
DWithin filter
- Happens only in Oracle DataStore, no mitigation

Patches

GeoTools 28.2
GeoTools 27.4
GeoTools 26.7
GeoTools 25.7
GeoTools 24.7

Workarounds

Partial mitigation:

In PostGIS DataStore disable "encode functions"

In any PostGIS enable "prepared statements" (only database with such settings)

        Map&lt;String, Object> params = new HashMap<>();
        params.put("dbtype", "postgis");
        params.put("host", "localhost");
        params.put("port", 5432);
        params.put("schema", "public");
        params.put("database", "database");
        params.put("user", "postgres");
        params.put("passwd", "postgres");
        params.put("preparedStatements", true ); // mitigation
        params.put("encode functions", false ); // mitigation

        DataStore dataStore = DataStoreFinder.getDataStore(params);

References

OGC Filter SQL Injection Vulnerabilities (GeoServer)

Database specific

{
    "nvd_published_at": "2023-02-21T21:15:00Z",
    "github_reviewed_at": "2023-02-22T19:16:06Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Maven / org.geotools:gt-jdbc

Package

Name: org.geotools:gt-jdbc; View open source insights on deps.dev
Purl: pkg:maven/org.geotools/gt-jdbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

28.0

Fixed

28.2

Maven / org.geotools:gt-jdbc

Package

Name: org.geotools:gt-jdbc; View open source insights on deps.dev
Purl: pkg:maven/org.geotools/gt-jdbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

27.0

Fixed

27.4

Maven / org.geotools:gt-jdbc

Package

Name: org.geotools:gt-jdbc; View open source insights on deps.dev
Purl: pkg:maven/org.geotools/gt-jdbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

26.0

Fixed

26.7

Maven / org.geotools:gt-jdbc

Package

Name: org.geotools:gt-jdbc; View open source insights on deps.dev
Purl: pkg:maven/org.geotools/gt-jdbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

25.0

Fixed

25.7

Maven / org.geotools:gt-jdbc

Package

Name: org.geotools:gt-jdbc; View open source insights on deps.dev
Purl: pkg:maven/org.geotools/gt-jdbc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

24.7