What is the severity of CVE-2023-25158?

CVE-2023-25158 is classified as a medium severity SQL Injection vulnerability.

How do I fix CVE-2023-25158?

To fix CVE-2023-25158, upgrade GeoTools to a version equal to or greater than 24.7 or to a version that does not exhibit the vulnerability.

Which versions of GeoTools are affected by CVE-2023-25158?

CVE-2023-25158 affects GeoTools versions prior to 24.7 and versions from 25.0 up to 25.7, 26.0 up to 26.7, 27.0 up to 27.4, and 28.0 up to 28.2.

What impact does CVE-2023-25158 have on applications?

CVE-2023-25158 could allow an attacker to execute arbitrary SQL commands, leading to potential data leaks or unauthorized data manipulation.

Is CVE-2023-25158 being actively exploited?

As of now, there is no public information indicating that CVE-2023-25158 is actively being exploited in the wild.

Vulnerability/
CVE-2023-25158

critical

9.8

CWE

21/2/2023

10/3/2025

CVE-2023-25158: Unfiltered SQL Injection in Geotools

First published: Tue Feb 21 2023(Updated: )

GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
GeoTools	<24.7
GeoTools	>=25.0<25.7
GeoTools	>=26.0<26.7
GeoTools	>=27.0<27.4
GeoTools	>=28.0<28.2

Remedy

https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-25158?
CVE-2023-25158 is classified as a medium severity SQL Injection vulnerability.
How do I fix CVE-2023-25158?
To fix CVE-2023-25158, upgrade GeoTools to a version equal to or greater than 24.7 or to a version that does not exhibit the vulnerability.
Which versions of GeoTools are affected by CVE-2023-25158?
CVE-2023-25158 affects GeoTools versions prior to 24.7 and versions from 25.0 up to 25.7, 26.0 up to 26.7, 27.0 up to 27.4, and 28.0 up to 28.2.
What impact does CVE-2023-25158 have on applications?
CVE-2023-25158 could allow an attacker to execute arbitrary SQL commands, leading to potential data leaks or unauthorized data manipulation.
Is CVE-2023-25158 being actively exploited?
As of now, there is no public information indicating that CVE-2023-25158 is actively being exploited in the wild.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/remedy
agent/severity
agent/author
agent/last-modified-date
agent/title
agent/event
agent/description
agent/first-publish-date
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/geotools
canonical/geotools
version/geotools/25.0
version/geotools/26.0
version/geotools/27.0
version/geotools/28.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.