CVE-2023-25158 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2023-25158

CVE-2023-25158

February 21, 2023

GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable "encode functions" for PostGIS DataStores or enable "prepared statements" for JDBCDataStores as a partial mitigation.

Related Resources (5)

https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b

https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25158.json

https://github.com/geotools/geotools

https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m

https://nvd.nist.gov/vuln/detail/CVE-2023-25158

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

EPSS

Base Score:

3.91

Products

Solutions

Resources

Company

Compare

Developer Tools