GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
The GeoTools library uses the Eclipse XSD class to represent XML schema structures. When a processed XML document contains a reference to an external XML schema, the Schemas class does not use the EntityResolver object provided by ParserHandler. As a result, external XML entities can be resolved without restrictions, allowing an attacker to inject a specially crafted XML document pointing to local server resources or internal network addresses. This also applies to gt-wfs-ng DataStore users, where the ENTITY_RESOLVER connection parameter was not applied as intended.
An attacker can read arbitrary files from the server file system (e.g., passwords, configuration keys) and conduct SSRF attacks by sending requests to internal network resources inaccessible directly from the Internet. The vulnerability has a scope extending beyond the attacked application (Scope: Changed), which significantly increases its criticality.
The software should be updated as soon as possible to versions with the vulnerability removed: GeoTools 33.1, 32.3, 31.7 or 28.6.1; GeoServer 2.27.1, 2.26.3 or 2.25.7; GeoNetwork 4.4.8 or 4.2.13. As a temporary workaround, it is recommended to disable the processing of external XML entities in accordance with the manufacturer's guidelines available at: https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
GeoTools in versions prior to 33.1, 32.3, 31.7 and 28.6.1; GeoServer in versions prior to 2.27.1, 2.26.3 and 2.25.7; GeoNetwork in versions prior to 4.4.8 and 4.2.13. The vulnerability affects any system that processes XML documents with references to external schemas using the gt-xsd-core module.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:LGeotools
APPGeotools33.0< 28.6.129.0 – 31.7 (bez)32.0 – 32.3 (bez)Osgeo Geonetwork
APPOsgeo4.2.0 – 4.2.13 (bez)4.4.0 – 4.4.8 (bez)Osgeo Geoserver
APPOsgeo2.27.0< 2.25.72.26.0 – 2.26.3 (bez)
Related vulnerabilities
GeoServer RCE przez niezabezpieczoną ewaluację XPath w parametrach OGC
GeoServer: XXE umożliwiające skanowanie sieci wewnętrznych (SSRF)
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for...
GeoServer is an open source software server written in Java that allows users to share and edit geospatial dat...
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27....