Login Sign Up

CVE-2023-42439

7.5 HIGH
Authentication Bypass SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in GeoNode versions 3.2.0 through 4.1.3 that bypasses existing URL whitelist controls. Attackers can exploit this to make the application request internal services and retrieve sensitive data from internal networks. All GeoNode deployments using affected versions are vulnerable.

💻 Affected Systems

Products:
  • GeoNode
Versions: 3.2.0 through 4.1.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Geonode by Geosolutionsgroup

View all CVEs affecting Geonode →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of internal network services, data exfiltration from internal systems, potential lateral movement to other internal resources.

🟠

Likely Case

Unauthorized access to internal GeoServer instances, exposure of sensitive geospatial data, potential credential harvesting from internal services.

🟢

If Mitigated

Limited to reconnaissance of internal network structure, but no data exfiltration if proper network segmentation and access controls are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but uses simple URL manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.3.post1

Vendor Advisory: https://github.com/GeoNode/geonode/security/advisories/GHSA-pxg5-h34r-7q8p

Restart Required: Yes

Instructions:

1. Backup your GeoNode instance and database. 2. Update to version 4.1.3.post1 or later using pip: 'pip install geonode>=4.1.3.post1'. 3. Restart all GeoNode services. 4. Verify the fix by testing SSRF attempts.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict GeoNode's outbound network access to only necessary services

Web Application Firewall Rules

all

Block requests containing '@' or '%40' in URLs at the WAF level

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate GeoNode from sensitive internal services
  • Deploy a WAF with rules to detect and block SSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check GeoNode version: 'pip show geonode' or examine package metadata. If version is between 3.2.0 and 4.1.3 inclusive, you are vulnerable.

Check Version:

pip show geonode | grep Version

Verify Fix Applied:

After patching, attempt to reproduce the SSRF bypass using '@' or '%40' in URLs. Successful fix should reject such requests.

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound requests from GeoNode to internal IPs
  • Requests containing '@' or '%40' in URL parameters
  • Failed authentication attempts to internal services

Network Indicators:

  • GeoNode making unexpected connections to internal services on port 8080
  • Traffic patterns showing GeoNode accessing non-whitelisted internal resources

SIEM Query:

source="geonode" AND (url="*@*" OR url="*%40*")

📊 Metadata

CVE ID: CVE-2023-42439
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-918
Published: September 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42439, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)