CVE-2026-39922
⚪ Do wiadomości
Wykorzystanie podatności w GeoNode pozwala atakującym na wysyłanie żądań do dowolnych adresów URL.
CVSS
6.3
EPSS
0.0%
Exploit
none
Vendor
geosolutionsgroup
Opis źródłowy (NVD)
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.
ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 6.3 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-10 20:16:22 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-16 01:16:10 UTC |
Referencje
- https://github.com/GeoNode/geonode/security/advisories/GHSA-hw9r-6m78-w6h3 (disclosure@vulncheck.com)
- https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration (disclosure@vulncheck.com) [Third Party Advisory]