{"id":"PYSEC-2023-269","details":"GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. In versions 3.2.0 through 4.1.2, the endpoint `/proxy/?url=` does not properly protect against server-side request forgery. This allows an attacker to port scan internal hosts and request information from internal hosts. A patch is available at commit a9eebae80cb362009660a1fd49e105e7cdb499b9.","aliases":["CVE-2023-40017","GHSA-rmxg-6qqf-x8mr"],"modified":"2024-11-21T14:57:19.315227Z","published":"2023-08-24T23:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/GeoNode/geonode/security/advisories/GHSA-rmxg-6qqf-x8mr"},{"type":"FIX","url":"https://github.com/GeoNode/geonode/commit/a9eebae80cb362009660a1fd49e105e7cdb499b9"}],"affected":[{"package":{"name":"geonode","ecosystem":"PyPI","purl":"pkg:pypi/geonode"},"ranges":[{"type":"GIT","repo":"https://github.com/GeoNode/geonode","events":[{"introduced":"0"},{"fixed":"a9eebae80cb362009660a1fd49e105e7cdb499b9"}]},{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"4.1.3"}]}],"versions":["3.2.0","3.2.1","3.2.2","3.2.3","3.2.3.post1","3.2.4","3.3.0","3.3.1","3.3.1.post1","3.3.2","3.3.2.post1","3.3.2.post2","3.3.3","4.0.0","4.0.0.post1","4.0.0rc0","4.0.0rc1","4.0.1","4.0.2","4.0.3","4.1.0","4.1.1","4.1.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/geonode/PYSEC-2023-269.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}