Headline
CVE-2023-26043: [Fixes #10462] GeoNode is vulnerable to an XML External Entity (XXE) … · GeoNode/geonode@2fdfe91
GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. This issue has been patched in version 4.0.3.
@@ -238,7 +238,7 @@ def extract_name_from_sld(gs_catalog, sld, sld_file=None):
sld = sld_file.read()
if isinstance(sld, str):
sld = sld.encode(‘utf-8’)
dom = etree.XML(sld)
dom = etree.XML(sld, parser=etree.XMLParser(resolve_entities=False))
elif sld_file and isfile(sld_file):
with open(sld_file, “rb”) as sld_file:
sld = sld_file.read()
@@ -378,7 +378,7 @@ def set_dataset_style(saved_dataset, title, sld, base_file=None):
elif isinstance(sld, str):
sld = sld.strip(‘b\’\n’)
sld = re.sub(r’(\\r)|(\\n)', '’, sld).encode(“UTF-8”)
etree.XML(sld)
etree.XML(sld, parser=etree.XMLParser(resolve_entities=False))
elif base_file and isfile(base_file):
with open(base_file, “rb”) as sld_file:
sld = sld_file.read()
Related news
### Summary GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read. ### Details GeoNode's GeoServer has the ability to upload new styles for datasets through the [`dataset_style_upload` view](https://github.com/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/urls.py#L70-L72). ```py # https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159 @login_required def dataset_style_upload(request, layername): def respond(*args, **kw): kw['content_type'] = 'text/html' return json_response(*args, **kw) ... sld = request.FILES['sld'].read() # 1 sld_name = None try: # Check SLD is valid ... sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2 except Exception as e: respond(errors=f"The uploaded SLD file is not valid X...