Description

GeoServer allows an unauthenticated attacker to send arbitrary requests to perform lookups on the internal network which is otherwise not accessible externally. An attacker may use this feature to perform SSRF (server-side request forgery) attacks on the server.

Remediation

Upgrade to the latest version of GeoServer

References

GeoServer allows SSRF via the option for setting a proxy host

SSRF Geoserver (CVE-2021-40822)

Related Vulnerabilities

MediaWiki Exposure of Resource to Wrong Sphere Vulnerability (CVE-2021-31547)

Beego Framework Use of a Broken or Risky Cryptographic Algorithm Vulnerability (CVE-2024-40465)

WebLogic CVE-2017-10271 Vulnerability (CVE-2017-10271)

PHP Improper Encoding or Escaping of Output Vulnerability (CVE-2024-5585)

Nexus Repository Manager Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Vulnerability (CVE-2019-15588)

Severity

High

Classification

CVE-2021-40822 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Acumonitor SSRF Known Vulnerabilities