{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/pygeoapi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pygeoapi (0.23.0 - 0.23.2)"],"_cs_severities":["high"],"_cs_tags":["pygeoapi","ssrf","ogc api","cve-2026-42352","vulnerability","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003epygeoapi versions 0.23.0, 0.23.1, and 0.23.2 are vulnerable to Server-Side Request Forgery (SSRF). The vulnerability stems from the OGC API - Processes functionality, specifically how it handles the \u003ccode\u003esubscriber\u003c/code\u003e object during process execution. An unauthenticated attacker can exploit this flaw to send requests to internal HTTP services, potentially gaining access to sensitive information or triggering unintended actions within the internal network. This issue was patched in version 0.23.3 by disabling internal HTTP requests by default, unless explicitly allowed in the configuration. The patch includes the introduction of an \u003ccode\u003eallow_internal_requests\u003c/code\u003e directive for administrators who require this functionality. This vulnerability poses a significant risk to organizations using affected versions of pygeoapi.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a pygeoapi instance running a vulnerable version (0.23.0 - 0.23.2).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious OGC API process execution request.\u003c/li\u003e\n\u003cli\u003eWithin the request, the attacker manipulates the \u003ccode\u003esubscriber\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esubscriber\u003c/code\u003e object is configured to target an internal HTTP service by specifying the internal service\u0026rsquo;s address.\u003c/li\u003e\n\u003cli\u003epygeoapi processes the request without proper validation of the \u003ccode\u003esubscriber\u003c/code\u003e object\u0026rsquo;s target.\u003c/li\u003e\n\u003cli\u003epygeoapi initiates an HTTP request to the attacker-specified internal service.\u003c/li\u003e\n\u003cli\u003eThe internal service responds to pygeoapi.\u003c/li\u003e\n\u003cli\u003epygeoapi may then relay information received from the internal service back to the attacker, or the attacker might be able to trigger actions based on the SSRF.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows an unauthenticated attacker to interact with internal HTTP services that should not be publicly accessible. This can lead to the disclosure of sensitive information, such as internal configurations, API keys, or customer data. The attacker may also be able to trigger actions on the internal services, potentially leading to service disruption or data manipulation. The severity of the impact depends on the nature and security posture of the internal services exposed by this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to pygeoapi version 0.23.3 or later to remediate CVE-2026-42352.\u003c/li\u003e\n\u003cli\u003eApply the provided patch \u003ca href=\"https://github.com/geopython/pygeoapi/commit/3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef\"\u003e3a63f5b0cc6275e3ae0edb47726b13a43cdd90ef\u003c/a\u003e if upgrading is not immediately feasible.\u003c/li\u003e\n\u003cli\u003eIf upgrading or patching is not immediately feasible, disable process-based resources in the pygeoapi configuration as a workaround.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pygeoapi-ssrf/","summary":"pygeoapi versions 0.23.0 to 0.23.2 contain an unauthenticated server-side request forgery (SSRF) vulnerability where OGC API process execution requests can use the subscriber object to make requests to internal HTTP services, which is resolved in version 0.23.3 by disabling internal requests by default.","title":"pygeoapi Unauthenticated SSRF Vulnerability in OGC API - Processes Subscriber","url":"https://feed.craftedsignal.io/briefs/2024-01-pygeoapi-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Pygeoapi","version":"https://jsonfeed.org/version/1.1"}