CVE-2023-26043: 
Python vulnerability analysis and mitigation

GeoNode, an open source platform for geospatial data creation and sharing, was found to be vulnerable to an XML External Entity (XXE) injection vulnerability (CVE-2023-26043) in the style upload functionality of GeoServer. The vulnerability was discovered in versions prior to 4.0.3 and was patched in version 4.0.3. This security issue was identified and reported by Jorge Rosillo from the GitHub Security Lab (GitHub Security Lab).

The vulnerability exists in GeoNode's GeoServer style upload functionality through the datasetstyleupload view. The issue occurs because the application uses etree.XML with default XMLParser settings, where the resolve_entities flag is set to True. This allows the parsing of XML containing resolved entities, potentially leading to unauthorized file access. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (GitHub Advisory).

The vulnerability allows an authenticated attacker to perform arbitrary file read operations on the server. When successfully exploited, an attacker could access sensitive files and obtain confidential information from the system (GitHub Security Lab).

The vulnerability has been patched in GeoNode version 4.0.3. The fix involves modifying the XML parsing to explicitly set resolve_entities=False in the XMLParser configuration. Users are strongly recommended to upgrade to version 4.0.3 or later to address this security issue (GitHub Advisory).