CVE-2023-25157: 
Java vulnerability analysis and mitigation

GeoServer, an open-source software server written in Java for sharing and editing geospatial data, was found to contain SQL Injection vulnerabilities (CVE-2023-25157). The vulnerability was discovered and disclosed on February 21, 2023. The issue affects GeoServer versions prior to 2.21.4, 2.22.2, 2.20.7, 2.19.7, and 2.18.7, specifically impacting the OGC Filter expression language and OGC Common Query Language (CQL) functionality within the Web Feature Service (WFS), Web Map Service (WMS), and Web Coverage Service (WCS) protocols (GeoServer Advisory).

The vulnerability received a CVSS v3.1 score of 9.8 (Critical), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction. The SQL injection vulnerabilities were found in multiple components: PropertyIsLike filter (when used with String fields), strEndsWith and strStartsWith functions (with PostGIS DataStore), FeatureId filter (with String primary key columns), jsonArrayContains function (with String/JSON fields), and DWithin filter (with Oracle DataStore). The vulnerability is tracked as CWE-89 (SQL Injection) (GeoServer Advisory).

Successful exploitation of this vulnerability could allow attackers to view, add, modify, or delete information in the back-end database. The impact includes potential identity spoofing, data tampering, repudiation issues, complete disclosure of system data, data destruction, and potential elevation to database administrator privileges (Security Online).

Several mitigation options are available: 1) Upgrade to patched versions (2.21.4, 2.22.2, 2.20.7, 2.19.7, or 2.18.7), 2) Disable the PostGIS Datastore encode functions setting to mitigate strEndsWith and strStartsWith vulnerabilities, 3) Enable the PostGIS DataStore preparedStatements setting to mitigate the FeatureId vulnerability. Note that Like filters have no mitigation if there is a string field in the feature type published (GeoServer Advisory).