How severe is GHSA-99c3-qc2q-p94m?

GHSA-99c3-qc2q-p94m has a CVSS score of 9.8/10, rated CRITICAL. Immediate patching is strongly recommended.

Which packages are affected by GHSA-99c3-qc2q-p94m?

GHSA-99c3-qc2q-p94m affects the following packages: org.geotools:gt-jdbc (Maven), org.geotools:gt-jdbc (Maven), org.geotools:gt-jdbc (Maven), org.geotools:gt-jdbc (Maven), org.geotools:gt-jdbc (Maven). Ecosystems affected: Maven.

How do I fix GHSA-99c3-qc2q-p94m?

Update org.geotools:gt-jdbc to 28.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-99c3-qc2q-p94m is resolved across your whole dependency graph.

How do I detect GHSA-99c3-qc2q-p94m in my Maven dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.geotools:gt-jdbc. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-99c3-qc2q-p94m if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-99c3-qc2q-p94m?

O3 pinpoints whether GHSA-99c3-qc2q-p94m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-99c3-qc2q-p94m actively exploited in the wild?

No public exploit code has been indexed for GHSA-99c3-qc2q-p94m yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-99c3-qc2q-p94m?

GHSA-99c3-qc2q-p94m has an EPSS (Exploit Prediction Scoring System) score of 1.1%, placing it in the 61th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-99c3-qc2q-p94m?

GHSA-99c3-qc2q-p94m is classified as SQL Injection (CWE-89). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-99c3-qc2q-p94m published, and has it been updated?

GHSA-99c3-qc2q-p94m was published on February 22, 2023 and was last updated on November 8, 2023. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

☕ Maven

GHSA-99c3-qc2q-p94m

CRITICAL

GeoTools OGC Filter SQL Injection Vulnerabilities

Also known asCVE-2023-25158

Published

Feb 22, 2023

Updated

Nov 8, 2023

Affected

5 pkgs

Patched

5 / 5

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

1.1%probability of exploitation in next 30 days

Lower Risk61th percentile-3.58%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

5 pkgs affected

☕org.geotools:gt-jdbc☕org.geotools:gt-jdbc☕org.geotools:gt-jdbc☕org.geotools:gt-jdbc☕org.geotools:gt-jdbc

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.

Description

Impact

GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore.

SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations:

PropertyIsLike filter
- Requires PostGIS DataStore with "encode functions" enabled
- Or any JDBCDataStore (all relational databases) with String field (no mitigation)
strEndsWith function
- Requires PostGIS DataStore with "encode functions" enabled
strStartsWith function
- Requires PostGIS DataStore with "encode functions" enabled
FeatureId filter
- Requires JDBCDataStore (all relational databases) with prepared statements disabled and table with String primary key (Oracle not affected, SQL Server and MySQL have no settings to enabled prepared statements, PostGIS does)
jsonArrayContains function
- Requires PostGIS and Oracle DataStore with String or JSON field
DWithin filter
- Happens only in Oracle DataStore, no mitigation

Patches

GeoTools 28.2
GeoTools 27.4
GeoTools 26.7
GeoTools 25.7
GeoTools 24.7

Workarounds

Partial mitigation:

In PostGIS DataStore disable "encode functions"
In any PostGIS enable "prepared statements" (only database with such settings)

        Map<String, Object> params = new HashMap<>();
        params.put("dbtype", "postgis");
        params.put("host", "localhost");
        params.put("port", 5432);
        params.put("schema", "public");
        params.put("database", "database");
        params.put("user", "postgres");
        params.put("passwd", "postgres");
        params.put("preparedStatements", true ); // mitigation
        params.put("encode functions", false ); // mitigation

        DataStore dataStore = DataStoreFinder.getDataStore(params);

References

OGC Filter SQL Injection Vulnerabilities (GeoServer)

Affected Packages

5 total 5 fixed

Ecosystem	Package	Vulnerable range	Fix
☕Maven	`org.geotools:gt-jdbc`	≥ 28.0&&< 28.2	28.2
☕Maven	`org.geotools:gt-jdbc`	≥ 27.0&&< 27.4	27.4
☕Maven	`org.geotools:gt-jdbc`	≥ 26.0&&< 26.7	26.7
☕Maven	`org.geotools:gt-jdbc`	≥ 25.0&&< 25.7	25.7
☕Maven	`org.geotools:gt-jdbc`	all versions	24.7

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for org.geotools:gt-jdbc. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update org.geotools:gt-jdbc to 28.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-99c3-qc2q-p94m is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-99c3-qc2q-p94m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-99c3-qc2q-p94m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Impact GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations: 1. ``PropertyIsLike`` filter * Requires PostGIS DataStore with "encode functions" enabled * Or any JDBCDataStore (all relational databases) with String field (no mitigation) 3. ``strEndsWith`` function * Requires PostGIS DataStore with "encode functions" enabled 5. ``strStartsWith`` function * Requires PostGIS DataStore with "encode functio

O3 Security · Impact-Aware SCA

Is GHSA-99c3-qc2q-p94m in your dependencies?

O3 detects GHSA-99c3-qc2q-p94m across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works

GHSA-99c3-qc2q-p94m

EPSS Exploitation Probability

Blast Radius

Description

Impact

Patches

Workarounds

References

Affected Packages

Detection & mitigation playbook

Detect

Fix

Workarounds

How O3 protects you

Frequently Asked Questions

Is GHSA-99c3-qc2q-p94m in your dependencies?