CVE-2023-41339 – This CVE allows attackers to perform Server-Sid... (How to Fix)

Q: What is the severity of CVE-2023-41339?

CVE-2023-41339 has a CVSS score of 8.6 (HIGH). This CVE allows attackers to perform Server-Side Request Forgery (SSRF) attacks against GeoServer instances with dynamic styling enabled but without URL validation. Attackers can exploit this to steal NetNTLMv2 hashes from Windows systems, which could be cracked or relayed for further network access. All GeoServer instances with dynamic styling enabled and lacking URL checks are affected.

📋 TL;DR

This CVE allows attackers to perform Server-Side Request Forgery (SSRF) attacks against GeoServer instances with dynamic styling enabled but without URL validation. Attackers can exploit this to steal NetNTLMv2 hashes from Windows systems, which could be cracked or relayed for further network access. All GeoServer instances with dynamic styling enabled and lacking URL checks are affected.

💻 Affected Systems

Products:

GeoServer

Versions: All versions before 2.22.5 and 2.23.2

Operating Systems: Any OS running GeoServer

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when dynamic styling is enabled without URL validation. Default configurations may not have dynamic styling enabled.

📦 What is this software?

Geoserver by Osgeo

View all CVEs affecting Geoserver →

Geoserver by Osgeo

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to internal network resources, steal credentials via NetNTLMv2 hash capture, and potentially achieve lateral movement or domain compromise.

🟠

Likely Case

Attackers exfiltrate NetNTLMv2 hashes from Windows systems, which could be cracked offline or used in relay attacks to access internal services.

🟢

If Mitigated

Limited to information disclosure about internal network services if URL validation blocks external requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted WMS requests with malicious SLD parameters. No authentication needed if GeoServer endpoints are publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.22.5 or 2.23.2

Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf

Restart Required: Yes

Instructions:

1. Download GeoServer 2.22.5 or 2.23.2 from official releases. 2. Backup current configuration. 3. Stop GeoServer service. 4. Replace with patched version. 5. Restart GeoServer service.

🔧 Temporary Workarounds

Disable dynamic styling

all

Disable the use of dynamic SLD styles in GeoServer configuration

Edit web.xml to remove or comment out SLDService parameters
Set 'allowDynamicStyling' to false in WMS settings

Implement URL validation

all

Configure GeoServer to validate SLD URLs against allowed domains

Configure 'sldUrlCheck' filter in web.xml with allowed domains

🧯 If You Can't Patch

Disable dynamic styling completely in GeoServer configuration
Implement network segmentation to restrict GeoServer's outbound HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check if dynamic styling is enabled without URL validation in GeoServer WMS settings and version is below 2.22.5/2.23.2

Check Version:

Check GeoServer web interface admin panel or examine geoserver.war version

Verify Fix Applied:

Verify GeoServer version is 2.22.5 or 2.23.2+ and test that SLD URL validation is enforced

📡 Detection & Monitoring

Log Indicators:

Unusual SLD parameter requests in GeoServer logs
HTTP requests to internal resources from GeoServer

Network Indicators:

GeoServer making unexpected outbound HTTP requests
SMB authentication attempts from GeoServer to internal systems

SIEM Query:

source="geoserver" AND (sld=* OR SLD=*) AND url=*

📊 Metadata

CVE ID: CVE-2023-41339

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-918

Published: October 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/geoserver/geoserver/releases/tag/2.22.5 Release Notes
https://github.com/geoserver/geoserver/releases/tag/2.23.2 Release Notes
https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf Mitigation,Vendor Advisory
https://github.com/geoserver/geoserver/releases/tag/2.22.5 Release Notes
https://github.com/geoserver/geoserver/releases/tag/2.23.2 Release Notes
https://github.com/geoserver/geoserver/security/advisories/GHSA-cqpc-x2c6-2gmf Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41339, you might also want to check these: