CVE-2023-25158: 
Java vulnerability analysis and mitigation

GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastores. The vulnerability (CVE-2023-25158) was discovered and disclosed on February 21, 2023, affecting GeoTools versions below 28.2, 27.4, 26.7, 25.7, and 24.7. This critical SQL injection vulnerability impacts the GeoTools JavaScript module when executing OGC Filters with JDBCDataStore implementations (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 9.8 (Critical), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction. The SQL injection vulnerabilities are found in multiple components: PropertyIsLike filter (affecting PostGIS DataStore with 'encode functions' enabled or any JDBCDataStore with String field), strEndsWith and strStartsWith functions (requiring PostGIS DataStore with 'encode functions' enabled), FeatureId filter (affecting JDBCDataStore with prepared statements disabled and table with String primary key), jsonArrayContains function (affecting PostGIS and Oracle DataStore with String or JSON field), and DWithin filter (affecting Oracle DataStore) (GitHub Advisory).

Successful exploitation of this vulnerability could allow an attacker to view, add, modify, or delete information in the back-end database. The impact includes potential data breach, data manipulation, and unauthorized access to the database server with administrator privileges (Security Online).

Mitigation strategies include upgrading to the patched versions: GeoTools 28.2, 27.4, 26.7, 25.7, or 24.7. For partial mitigation, users can disable 'encode functions' in PostGIS DataStore and enable 'prepared statements' in PostGIS (the only database with such settings). These configuration changes can be implemented through the database connection parameters (GitHub Advisory).