python · geonodeHeads-up
GeoNode SSRF Vulnerability in Service Registration Endpoint
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration en
What changed
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint.
Who it affects
Authenticated users of GeoNode who can register services; attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services.
What to do today
Update GeoNode to a patched version or apply a workaround that enforces private IP filtering or allowlist enforcement for service URLs.
The trail
Collected→
Audited→
Written→
Published