GHSA-3XGR-H5HQ-7299

Vulnerability from github – Published: 2025-10-15 20:40 – Updated: 2025-10-15 20:40
VLAI
Summary
GeoIP processor disables SSL certificate validation when downloading databases
Details

Impact

The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.

The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:

  • Accepted all SSL certificates without validation
  • Disabled server certificate verification
  • Disabled client certificate verification
  • Disabled hostname verification

This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.

Patches

Data Prepper 2.12.2 contains a fix for this issue.

Workarounds

If upgrading is not immediately possible:

  • Use local GeoIP database files instead of downloading from HTTP URLs
  • Ensure database downloads occur only over trusted networks
Severity
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opensearch.dataprepper.plugins:geoip-processor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.12.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-15T20:40:10Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.\n\nThe GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The `initiateSSL()` method incorrectly implemented an approach for trusting all certificates. Specifically it:\n\n* Accepted all SSL certificates without validation\n* Disabled server certificate verification\n* Disabled client certificate verification\n* Disabled hostname verification\n\nThis configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.\n\n### Patches\n\nData Prepper 2.12.2 contains a fix for this issue.\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n* Use local GeoIP database files instead of downloading from HTTP URLs\n* Ensure database downloads occur only over trusted networks",
  "id": "GHSA-3xgr-h5hq-7299",
  "modified": "2025-10-15T20:40:10Z",
  "published": "2025-10-15T20:40:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-3xgr-h5hq-7299"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opensearch-project/data-prepper/commit/b82ea0640d98d9f4c742622325faeeb6248ee135"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opensearch-project/data-prepper"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoIP processor disables SSL certificate validation when downloading databases"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.