CVE-2021-40822
published 2022-05-02CVE-2021-40822: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.93%
96.9th percentile
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| osgeo | geoserver | <= 2.18.5 | — |
| osgeo | geoserver | >= 2.19.0 < 2.19.3 | 2.19.3 |
Detection & IOCsextracted from sources · hover to see the quote
url/geoserver/TestWfsPost
path/geoserver/TestWfsPost
commandform_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password=
- →Detect SSRF exploitation attempts by monitoring POST requests to /geoserver/TestWfsPost with a user-controlled 'url' parameter in the body.
- →GeoServer instances can be fingerprinted by checking the response body for the strings 'geoserver.web', 'geoserverbasepage', or 'GeoServer: Redirecting' at the /geoserver/ path.
- →Use Shodan queries 'title:"GeoServer"' or 'http.title:"geoserver"' to identify exposed GeoServer instances potentially vulnerable to this SSRF.
- →Use FOFA queries 'app="GeoServer"' or 'title="geoserver"' to identify exposed GeoServer instances.
- →Use Google dork 'intitle:"geoserver"' to discover publicly exposed GeoServer instances.
- →Successful SSRF exploitation results in an HTTP 200 response with 'Interactsh' in the body and 'text/html' in the Content-Type header, indicating out-of-band callback was triggered.
- ·The SSRF is triggered via the proxy host configuration option; the TestWfsPost endpoint is the attack vector used to supply an arbitrary URL. ↗
- ·The exploit template uses a two-step flow: first confirm GeoServer is present at /geoserver/, then send the SSRF payload to /geoserver/TestWfsPost. Both steps must succeed for a confirmed finding.
- ·Affected versions are GeoServer <= 2.18.5 and 2.19.x <= 2.19.2; versions 2.19.3 and later contain the fix. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
osv·2025-06-10·CVSS 7.5
CVE-2024-29198 [HIGH] GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
### Summary
It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set.
### Details
A unauthenticated user can supply a request that will be issued by the server. This can be used to enumerate internal networks and also in the case of cloud instances can be used to obtain sensitive data.
### Mitigation
1. When using GeoServer with a proxy, manage the proxy base value as a system administrator, use the application property ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.
2. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file. Adding this b
GHSA
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
ghsa·2025-06-10·CVSS 7.5
CVE-2024-29198 [HIGH] CWE-918 GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
### Summary
It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set.
### Details
A unauthenticated user can supply a request that will be issued by the server. This can be used to enumerate internal networks and also in the case of cloud instances can be used to obtain sensitive data.
### Mitigation
1. When using GeoServer with a proxy, manage the proxy base value as a system administrator, use the application property ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.
2. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file. Adding this b
GHSA
GeoServer allows SSRF via the option for setting a proxy host
ghsa·2022-05-03
CVE-2021-40822 [HIGH] CWE-918 GeoServer allows SSRF via the option for setting a proxy host
GeoServer allows SSRF via the option for setting a proxy host
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
OSV
GeoServer allows SSRF via the option for setting a proxy host
osv·2022-05-03
CVE-2021-40822 [HIGH] GeoServer allows SSRF via the option for setting a proxy host
GeoServer allows SSRF via the option for setting a proxy host
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
VulnCheck
OSGeo GeoServer Server-Side Request Forgery (SSRF)
vulncheck·2021·CVSS 7.5
CVE-2021-40822 [HIGH] OSGeo GeoServer Server-Side Request Forgery (SSRF)
OSGeo GeoServer Server-Side Request Forgery (SSRF)
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.
Affected: OSGeo GeoServer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-40822; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2021-40822; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-2021-40822; https://dashboard.shadowserver.org/
No detection rules found.
Nuclei
Geoserver - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2021-40822 [HIGH] Geoserver - Server-Side Request Forgery
Geoserver - Server-Side Request Forgery
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
Template:
id: CVE-2021-40822
info:
name: Geoserver - Server-Side Request Forgery
author: For3stCo1d,aringo-bf
severity: high
description: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows server-side request forgery via the option for setting a proxy host.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
remediation: |
Apply the latest security patches or updates provided by the Geoserver project to mitigate the SSRF vulnerability.
reference:
- https://gccybermonks.com/posts/cve-2021-40822/
- https://gi
https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3https://github.com/geoserver/geoserver/releaseshttps://osgeo-org.atlassian.net/browse/GEOS-10229https://osgeo-org.atlassian.net/browse/GEOS-10229?focusedCommentId=83508https://github.com/geoserver/geoserver/compare/2.19.2...2.19.3https://github.com/geoserver/geoserver/releaseshttps://osgeo-org.atlassian.net/browse/GEOS-10229https://osgeo-org.atlassian.net/browse/GEOS-10229?focusedCommentId=83508
2022-05-02
Published
Exploited in the wild