CVE-2026-42352
pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber
描述
### Impact OGC API - Process execution requests can use the `subscriber` object to requests to internal HTTP services. ### Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default (unless explicitly defined in configuration by a new `allow_internal_requests` directive. The commit/fix can be found in [3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef](https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef). ### Workarounds Users can update existing applications by disabling process based resources in their pygeoapi config, until 0.23.3 can be installed and deployed.
如何修補 CVE-2026-42352
要修補 CVE-2026-42352,請將受影響套件升級到下列已修補版本。
- —升級至 0.23.3 或更新版本
CVE-2026-42352 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 0.23.0, < 0.23.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |