CVE-2023-43795
published 2023-10-25CVE-2023-43795: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS)…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
67.72%
99.2th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.22.5 | 2.22.5 |
| geoserver | geoserver | — | — |
| osgeo | geoserver | < 2.22.5 | 2.22.5 |
| osgeo | geoserver | >= 2.23.0 < 2.23.2 | 2.23.2 |
Detection & IOCsextracted from sources · hover to see the quote
otherContent-Type: application/xml (POST to /wms or /geoserver/wms with WPS XML body containing JTS:area and interactsh OOB URL)↗
- →Detect CVE-2023-43795 exploitation by monitoring for POST requests to /wms or /geoserver/wms with Content-Type: application/xml containing WPS Execute XML bodies referencing JTS:area process and external URLs (SSRF trigger). ↗
- →Look for outbound HTTP callbacks from the GeoServer host following a WPS POST request — a successful SSRF will cause GeoServer to make an HTTP request to an attacker-controlled server (OOB interaction). ↗
- →Fingerprint exposed GeoServer instances via Shodan query 'title:"GeoServer"' or FOFA query 'app="GeoServer"' to identify attack surface. ↗
- →The vulnerability is unauthenticated (PR:N) and network-reachable (AV:N); no authentication headers are required in the exploit POST request. ↗
- →GeoServer versions prior to 2.22.5 and 2.23.2 are vulnerable; flag any GeoServer instance reporting a version below these thresholds. ↗
- ·The Nuclei template uses two randomised variables (string, value) embedded in the WPS XML payload and confirmed via OOB (interactsh) callback matching — detection requires an OOB/interactsh listener; passive log-only detection will miss the confirmation step. ↗
- ·The template uses stop-at-first-match across the two paths (/wms, /geoserver/wms), so only one path is tested per target; ensure both paths are covered in custom detection rules. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
ghsa·2025-09-12
CVE-2025-43795 [MEDIUM] CWE-601 Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
An open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter.
An open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configu
GHSA
WPS Server Side Request Forgery vulnerability
ghsa·2023-10-24
CVE-2023-43795 [HIGH] CWE-918 WPS Server Side Request Forgery vulnerability
WPS Server Side Request Forgery vulnerability
### Summary
The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests.
This presents the opportunity for Server Side Request Forgery.
## Details
This vulnerability requires:
* The WPS extension to be installed
* The WPS security setting "Disable complex inputs" to be unselected
* Security URL checks to be disabled
### Impact
This vulnerability presents the opportunity for Server Side Request Forgery.
### Mitigation
The ability to reference an external URL location is defined by the WPS standard Execute operation. This operations is defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.
To disable compl
OSV
WPS Server Side Request Forgery vulnerability
osv·2023-10-24
CVE-2023-43795 [HIGH] WPS Server Side Request Forgery vulnerability
WPS Server Side Request Forgery vulnerability
### Summary
The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests.
This presents the opportunity for Server Side Request Forgery.
## Details
This vulnerability requires:
* The WPS extension to be installed
* The WPS security setting "Disable complex inputs" to be unselected
* Security URL checks to be disabled
### Impact
This vulnerability presents the opportunity for Server Side Request Forgery.
### Mitigation
The ability to reference an external URL location is defined by the WPS standard Execute operation. This operations is defined by an Industry and International standard and cannot be redefined by the GeoServer application in isolation.
To disable compl
VulnCheck
OSGeo GeoServer Server-Side Request Forgery (SSRF)
vulncheck·2023·CVSS 8.6
CVE-2023-43795 [HIGH] OSGeo GeoServer Server-Side Request Forgery (SSRF)
OSGeo GeoServer Server-Side Request Forgery (SSRF)
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
Affected: OSGeo GeoServer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-22&host_type=src&vulnerability=cve-2023-43795; https://dashboard.shadowserver.o
No detection rules found.
Nuclei
GeoServer WPS - Server Side Request Forgery
nuclei·CVSS 9.8
CVE-2023-43795 [CRITICAL] GeoServer WPS - Server Side Request Forgery
GeoServer WPS - Server Side Request Forgery
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
Template:
id: CVE-2023-43795
info:
name: GeoServer WPS - Server Side Request Forgery
author: DhiyaneshDK
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST reques
No writeups or analysis indexed.
2023-10-25
Published
Exploited in the wild