CVE-2023-40017 — GeoNode Server Side Request forgery

Description

GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.

How to fix CVE-2023-40017

To remediate CVE-2023-40017, upgrade the affected package to a fixed version below.

—upgrade to 4.2.0 or later
—upgrade to a9eebae80cb362009660a1fd49e105e7cdb499b9 or later

Is CVE-2023-40017 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 3.2.0, < 4.2.0
from 0, < a9eebae80cb362009660a1fd49e105e7cdb499b9 | >= 3.2.0, < 4.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-40017
PATCHgithub.com/GeoNode/geonode
WEBgithub.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499b9
WEBgithub.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mr