logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-25158 org.geotools:gt-jdbc

Package

Manager: maven
Name: org.geotools:gt-jdbc
Vulnerable Version: >=28.0 <28.2 || >=27.0 <27.4 || >=26.0 <26.7 || >=25.0 <25.7 || >=0 <24.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01136 pctl0.77564

Details

GeoTools OGC Filter SQL Injection Vulnerabilities ### Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. ``PropertyIsLike`` filter * Requires PostGIS DataStore with "encode functions" enabled * Or any JDBCDataStore (all relational databases) with String field (no mitigation) 3. ``strEndsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 5. ``strStartsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 6. ``FeatureId`` filter * Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does) 7. ``jsonArrayContains`` function * Requires PostGIS and Oracle DataStore with String or JSON field 8. ``DWithin`` filter * Happens only in Oracle DataStore, no mitigation ### Patches * GeoTools 28.2 * GeoTools 27.4 * GeoTools 26.7 * GeoTools 25.7 * GeoTools 24.7 ### Workarounds Partial mitigation: * In PostGIS DataStore disable "encode functions" * In any PostGIS enable "prepared statements" (only database with such settings) ```java Map<String, Object> params = new HashMap<>(); params.put("dbtype", "postgis"); params.put("host", "localhost"); params.put("port", 5432); params.put("schema", "public"); params.put("database", "database"); params.put("user", "postgres"); params.put("passwd", "postgres"); params.put("preparedStatements", true ); // mitigation params.put("encode functions", false ); // mitigation DataStore dataStore = DataStoreFinder.getDataStore(params); ``` ### References * [OGC Filter SQL Injection Vulnerabilities](https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf) (GeoServer)

Metadata

Created: 2023-02-22T19:16:06Z
Modified: 2023-02-22T19:16:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-99c3-qc2q-p94m/GHSA-99c3-qc2q-p94m.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-99c3-qc2q-p94m
Finding: F297
Auto approve: 1