cbcvebase.
CVE-2021-40822
published 2022-05-02

CVE-2021-40822: GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
18.93%
96.9th percentile
GeoServer through 2.18.5 and 2.19.x through 2.19.2 allows SSRF via the option for setting a proxy host.

Affected

2 ranges
VendorProductVersion rangeFixed in
osgeogeoserver<= 2.18.5
osgeogeoserver>= 2.19.0 < 2.19.32.19.3

Detection & IOCsextracted from sources · hover to see the quote

url/geoserver/TestWfsPost
path/geoserver/TestWfsPost
commandform_hf_0=&url=http://oast.pro/geoserver/../&body=&username=&password=
  • Detect SSRF exploitation attempts by monitoring POST requests to /geoserver/TestWfsPost with a user-controlled 'url' parameter in the body.
  • GeoServer instances can be fingerprinted by checking the response body for the strings 'geoserver.web', 'geoserverbasepage', or 'GeoServer: Redirecting' at the /geoserver/ path.
  • Use Shodan queries 'title:"GeoServer"' or 'http.title:"geoserver"' to identify exposed GeoServer instances potentially vulnerable to this SSRF.
  • Use FOFA queries 'app="GeoServer"' or 'title="geoserver"' to identify exposed GeoServer instances.
  • Use Google dork 'intitle:"geoserver"' to discover publicly exposed GeoServer instances.
  • Successful SSRF exploitation results in an HTTP 200 response with 'Interactsh' in the body and 'text/html' in the Content-Type header, indicating out-of-band callback was triggered.
  • ·The SSRF is triggered via the proxy host configuration option; the TestWfsPost endpoint is the attack vector used to supply an arbitrary URL.
  • ·The exploit template uses a two-step flow: first confirm GeoServer is present at /geoserver/, then send the SSRF payload to /geoserver/TestWfsPost. Both steps must succeed for a confirmed finding.
  • ·Affected versions are GeoServer <= 2.18.5 and 2.19.x <= 2.19.2; versions 2.19.3 and later contain the fix.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.