漏洞描述
GeoTools 库使用 Eclipse XSD 库来处理 XML 数据,但未正确配置 EntityResolver,导致 XML 外部实体 (XXE) 漏洞。当 GeoServer 或 GeoNetwork 调用 GeoTools 库处理 XML 数据时,攻击者可以注入恶意的 XML 实体,从而读取本地文件或发起其他攻击。
GeoServer /geoserver/wfs XML 外部实体注入漏洞(CVE-2025-30220)
PoC代码
暂无相关漏洞推荐
- POC CVE-2021-40822: Geoserver - Server-Side Request Forgery
- POC CVE-2022-24816: GeoServer <1.2.2 - Remote Code Execution
- POC CVE-2023-25157: GeoServer OGC Filter - SQL Injection
- POC CVE-2023-43795: GeoServer WPS - Server Side Request Forgery
- POC CVE-2024-29198: GeoServer Demo Request Endpoint - Server Side Request Forgery
- POC CVE-2024-36401: GeoServer RCE in Evaluating Property Name Expressions
- POC CVE-2024-36404: GeoServer and GeoTools - Remote Code Execution
- POC CVE-2025-27505: GeoServer - Missing Authorization on REST API Index
- POC CVE-2025-30220: GeoServer WFS - XXE Processing Vulnerability
- POC CVE-2021-40822: Geoserver - Server-Side Request Forgery
- POC CVE-2022-24816: GeoServer <1.2.2 - Remote Code Execution
- POC CVE-2023-25157: GeoServer OGC Filter - SQL Injection
- POC CVE-2024-36401: GeoServer wfs 远程代码执行漏洞