### Critical Vulnerability Information #### Vulnerability Name Coverage REST API Server Side Request Forgery #### Affected Versions - `org.geoserver.gs-rest` (Maven): < 2.26.0 - `org.geoserver.web:gs-web-app` (Maven): < 2.26.0 #### Fixed Versions - `org.geoserver.gs-rest`: 2.26.0 - `org.geoserver.web:gs-web-app`: 2.26.0 #### Vulnerability Description The Coverage REST API `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allows uploading a file with a specified URL (where `{method}` equals 'url') without any restrictions. #### Vulnerability Details The Coverage REST API `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allows uploading a file with a specified URL (where `{method}` equals 'url'). This URL is not validated using the URL Checks feature. #### Example Code ```java URLCheckers.confirm(fileURL) ``` #### Vulnerable File RESTUtils.java #### Impact This vulnerability enables Server Side Request Forgery (SSRF). #### Reference Links - [GEOS-11468](https://osgeo-org.atlassian.net/browse/GEOS-11468) - [GEOS-11717](https://osgeo-org.atlassian.net/browse/GEOS-11717) #### CVSS v3 Base Metrics - **Severity**: Medium (5.5/10) - **Attack Vector**: Network - **Attack Complexity**: Low - **Required Privileges**: High - **User Interaction**: None - **Scope**: Unchanged - **Confidentiality Impact**: High - **Integrity Impact**: None - **Availability Impact**: Low #### CWE ID CVE-2024-40625 #### Weakness CWE-918 #### Reporter and Fix Developer - **Reporter**: trganda - **Fix Developer**: jodygarnett