Headline
GHSA-r4hf-r8gj-jgw2: Coverage REST API Server Side Request Forgery
Summary
The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allow to upload file with a specified url (with {method} equals ‘url’) with no restrict.
Details
The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allow to upload file with a specified url (with {method} equals ‘url’). But this url has not been check with URL Checks feature.
For example, should add the code below to check fileURL:
URLCheckers.confirm(fileURL)
The vulnerable code was RESTUtils.java
Impact
This vulnerability presents the opportunity for Server Side Request Forgery.
References
- https://osgeo-org.atlassian.net/browse/GEOS-11468
- https://osgeo-org.atlassian.net/browse/GEOS-11717
Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.