CVE-2023-43795: 
Java vulnerability analysis and mitigation

GeoServer, an open source Java-based software server for sharing and editing geospatial data, was found to contain a Server Side Request Forgery (SSRF) vulnerability in its OGC Web Processing Service (WPS) specification. The vulnerability, identified as CVE-2023-43795, was discovered in the WPS functionality that processes information from servers using GET and POST requests. This security issue has been patched in versions 2.22.5 and 2.23.2 (GitHub Advisory).

The vulnerability exists in the WPS extension's handling of complex inputs from remote references. The issue specifically occurs when the WPS security setting 'Disable complex inputs' is unselected and Security URL checks are disabled. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL from NVD and 8.6 HIGH from GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability allows for Server Side Request Forgery (SSRF) attacks, potentially enabling attackers to make unauthorized requests from the server. According to the CVSS metrics, this vulnerability can result in high confidentiality impact and low integrity and availability impacts (GitHub Advisory).

For users unable to upgrade immediately, the recommended mitigation is to navigate to Security > WPS Security page and select the checkbox for 'Disable loading complex inputs from remote references'. For users of GeoServer 2.22.5 and 2.23.2, the resolution involves enabling URL Checks under Security > URL Checks. Users should also configure trusted locations for external services. Processing of complex inputs safely is enabled by default in GeoServer 2.24.0 (GitHub Advisory).