CVE-2023-25157

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

### Impact GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. SQL Injection Vulnerabilities have been found with: * ``PropertyIsLike`` filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled * ``strEndsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``strStartsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``FeatureId`` filter, when used with any database table having a String primary key column and when prepared statements are disabled * ``jsonArrayContains`` function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only) * ``DWithin`` filter, when used with an Oracle DataStore ### Patches * GeoSever 2.21.4 * GeoServer 2.22.2 * GeoServer 2.20.7 * GeoServer 2.19.7 * GeoServer 2.18.7 ### Workarounds 1. Disabling the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` vulnerabilities (Like filters have no mitigation, if there is a string field in the feature type published). 2. Enabling the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` vulnerability. ### References * [OGC Filter SQL Injection Vulnerabilities](https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m) (GeoTools) * [OGC Filter Injection Vulnerability Statement](https://geoserver.org/vulnerability/2023/02/20/ogc-filter-injection.html) (GeoServer Blog)

### Impact GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. SQL Injection Vulnerabilities have been found with: * ``PropertyIsLike`` filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled * ``strEndsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``strStartsWith`` function, when used with a PostGIS DataStore with encode functions enabled * ``FeatureId`` filter, when used with any database table having a String primary key column and when prepared statements are disabled * ``jsonArrayContains`` function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only) * ``DWithin`` filter, when used with an Oracle DataStore ### Patches * GeoSever 2.21.4 * GeoServer 2.22.2 * GeoServer 2.20.7 * GeoServer 2.19.7 * GeoServer 2.18.7 ### Workarounds 1. Disabling the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` vulnerabilities (Like filters have no mitigation, if there is a string field in the feature type published). 2. Enabling the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` vulnerability. ### References * [OGC Filter SQL Injection Vulnerabilities](https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m) (GeoTools) * [OGC Filter Injection Vulnerability Statement](https://geoserver.org/vulnerability/2023/02/20/ogc-filter-injection.html) (GeoServer Blog)

GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. GeoServer incluye soporte para el lenguaje de expresión de filtro OGC y el lenguaje de consulta común (CQL) de OGC como parte de los protocolos Web Feature Service (WFS) y Web Map Service (WMS). CQL también es compatible a través del protocolo Web Coverage Service (WCS) para coberturas de ImageMosaic. Se recomienda a los usuarios que actualicen a la versión 2.21.4 o 2.22.2 para resolver este problema. Los usuarios que no puedan actualizar deben deshabilitar la configuración *encode funciones* de PostGIS Datastore para mitigar el mal uso de ``strEndsWith``, ``strStartsWith`` y ``PropertyIsLike `` y habilitar la configuración *preparedStatements* de PostGIS DataStore para mitigar ``FeatureId` `mal uso.