💥GeoServer SQL Injection Vulnerability Analysis (CVE-2023-25157)

SQL Injection Vulnerabilities have been found with:
💾 PropertyIsLike filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled
💾 strEndsWith function, when used with a PostGIS DataStore with encode functions enabled
💾 strStartsWith function, when used with a PostGIS DataStore with encode functions enabled
💾 FeatureId filter, when used with any database table having a String primary key column and when prepared statements are disabled
💾 jsonArrayContains function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)
💾 DWithin filter, when used with an Oracle DataStore


🔖CVE-2023-25157 - GeoServer SQL Injection - PoC

Usage:
python3 CVE-2023-25157.py <URL>

💥RCE in GitLab's CLI tool

Attack scenario:
1️⃣Attacker creates a repository. They create a branch named "@|calc".
2️⃣To make the attack more convincing, they set this branch as the default branch.
3️⃣Victim clones the repository on their machine.
4️⃣Victim tries to create an MR using glab mr create --web
5️⃣The following command is run: cmd.exe /c "start https://gitlab.com/test-user/test-repo/-/merge_requests/new?merge_request[title]=%s^&merge_request[description]=%s^&merge_request[source_branch]=%s^&merge_request[target_branch]=@|calc^&merge_request[source_project_id]=%d^&merge_request[target_project_id]=%d".
6️⃣The pipe character allows to break out of the URL context and launch calc.