CVE-2023-42439: 
Python vulnerability analysis and mitigation

GeoNode, an open source platform for geospatial data management, was found to contain a Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-42439) starting from version 3.2.0. The vulnerability was discovered and disclosed in September 2023, affecting all versions up to 4.1.3. The vulnerability allows bypassing existing whitelist controls, potentially exposing internal network data (GitHub Advisory).

The vulnerability exists in GeoNode's proxy functionality where the whitelist protection mechanism can be bypassed. The attack vector involves using the @ symbol or its URL-encoded equivalent %40 in the URL to trick the application into accepting a whitelisted address while actually directing the request to an internal host. For example, a request like /proxy/?url=http://development.demo.geonode.org%40geoserver:8080/geoserver/web would bypass the whitelist controls. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NVD and 7.5 (High) by GitHub (NVD).

When exploited, this vulnerability allows attackers to perform full read SSRF attacks, potentially accessing and retrieving sensitive data from internal network services. The attacker can bypass existing security controls to request internal services and obtain their responses (GitHub Advisory).

The vulnerability has been patched in version 4.1.3.post1. Organizations running affected versions should upgrade to this version or later to address the vulnerability. The fix includes improved URL parsing and credential removal mechanisms (GeoNode Release, GeoNode Patch).