CVE-2023-40017

Published: Aug 24, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

Affected (1)

Products: Geosolutionsgroup: Geonode

Geosolutionsgroup

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Geosolutionsgroup Geonode	From 3.2.0 to 4.1.2

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499b9

Source: security-advisories@github.com

Patch

https://github.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mr

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499b9

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mr

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.