CVE-2024-40625

Description

### Summary The Coverage rest api `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allow to upload file with a specified url (with {method} equals 'url') with no restrict. ### Details The Coverage rest api `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allow to upload file with a specified url (with {method} equals 'url'). But this url has not been check with [URL Checks feature](https://docs.geoserver.org/latest/en/user/security/urlchecks.html#url-checks). For example, should add the code below to check fileURL: ```java URLCheckers.confirm(fileURL) ``` The vulnerable code was [RESTUtils.java](https://github.com/geoserver/geoserver/blob/main/src/rest/src/main/java/org/geoserver/rest/util/RESTUtils.java#L176) ### Impact This vulnerability presents the opportunity for Server Side Request Forgery. ### References - https://osgeo-org.atlassian.net/browse/GEOS-11468 - https://osgeo-org.atlassian.net/browse/GEOS-11717

Affected packages (2)

• Maven/org.geoserver:gs-restfrom 0, < 2.26.0
• Maven/org.geoserver.web:gs-web-appfrom 0, < 2.26.0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-40625
• PATCHhttps://github.com/geoserver/geoserver
• WEBhttps://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2
• WEBhttps://osgeo-org.atlassian.net/browse/GEOS-11468
• WEBhttps://osgeo-org.atlassian.net/browse/GEOS-11717