Search criteria
75 vulnerabilities found for geoserver by geoserver
FKIE_CVE-2025-21621
Vulnerability from fkie_nvd - Published: 2025-11-25 22:15 - Updated: 2025-12-03 16:43
Severity ?
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D74556B8-BDEF-4EC2-98AA-BD99DB2DA4A6",
"versionEndExcluding": "2.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim\u0027s browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0."
}
],
"id": "CVE-2025-21621",
"lastModified": "2025-12-03T16:43:45.223",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-11-25T22:15:47.227",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/geoserver/geoserver/pull/7406"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11297"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-58360
Vulnerability from fkie_nvd - Published: 2025-11-25 21:15 - Updated: 2025-12-12 13:54
Severity ?
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
References
{
"cisaActionDue": "2026-01-01",
"cisaExploitAdd": "2025-12-11",
"cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "929A415A-3926-49DE-855E-9363B5E495D3",
"versionEndExcluding": "2.25.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58DCFD5D-914E-442F-AD07-C019C3BDDB2A",
"versionEndExcluding": "2.26.2",
"versionStartIncluding": "2.26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
}
],
"id": "CVE-2025-58360",
"lastModified": "2025-12-12T13:54:01.187",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-25T21:15:56.363",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-36401
Vulnerability from fkie_nvd - Published: 2024-07-01 16:15 - Updated: 2025-10-24 14:00
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
References
{
"cisaActionDue": "2024-08-05",
"cisaExploitAdd": "2024-07-15",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "OSGeo GeoServer GeoTools Eval Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE0EE582-FAE7-4528-9A5E-6E56EB1DE345",
"versionEndExcluding": "2.22.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0069EB0E-BF96-47F5-8A02-13F9FA6C15D8",
"versionEndExcluding": "2.23.6",
"versionStartIncluding": "2.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A407E94-A7F2-4A4F-B96E-2B3DC8FF6DF3",
"versionEndExcluding": "2.24.4",
"versionStartIncluding": "2.24.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFBAEC7A-6250-45FE-AB54-30D72C03F62D",
"versionEndExcluding": "2.25.2",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "732DE428-3515-459F-AE5F-08407BA1A049",
"versionEndExcluding": "29.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E338785-9877-4731-B095-E40C86D89577",
"versionEndExcluding": "30.4",
"versionStartIncluding": "30.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "956C1035-1771-4DBE-9B23-815DB6ECB8BF",
"versionEndExcluding": "31.2",
"versionStartIncluding": "31.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CCE433A3-886D-4CBB-9696-660F517FBFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "CEB40BCD-6D65-4DC8-A0BF-F5736D543B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*",
"matchCriteriaId": "75B1DF89-EFC1-4F5A-881E-495AE00E820B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "72752A30-52B9-4E95-90F8-A807618B5313",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Antes de las versiones 2.23.6, 2.24.4 y 2.25.2, varios par\u00e1metros de solicitud de OGC permit\u00edan la ejecuci\u00f3n remota de c\u00f3digo (RCE) por parte de usuarios no autenticados a trav\u00e9s de entradas especialmente dise\u00f1adas en una instalaci\u00f3n predeterminada de GeoServer debido a la evaluaci\u00f3n insegura de nombres de propiedades como expresiones XPath. La API de la librer\u00eda GeoTools a la que llama GeoServer eval\u00faa los nombres de propiedades/atributos para tipos de entidades de una manera que los pasa de manera insegura a la librer\u00eda commons-jxpath, que puede ejecutar c\u00f3digo arbitrario al evaluar expresiones XPath. Esta evaluaci\u00f3n XPath est\u00e1 destinada a ser utilizada \u00fanicamente por tipos de funciones complejas (es decir, almacenes de datos de esquemas de aplicaci\u00f3n), pero tambi\u00e9n se aplica incorrectamente a tipos de funciones simples, lo que hace que esta vulnerabilidad se aplique a **TODAS** las instancias de GeoServer. No se proporciona ninguna PoC p\u00fablica, pero se ha confirmado que esta vulnerabilidad es explotable a trav\u00e9s de solicitudes WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic y WPS Execute. Esta vulnerabilidad puede llevar a la ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 2.23.6, 2.24.4 y 2.25.2 contienen un parche para el problema. Existe una workaround eliminando el archivo `gt-complex-xyjar` del GeoServer donde `xy` es la versi\u00f3n de GeoTools (por ejemplo, `gt-complex-31.1.jar` si ejecuta GeoServer 2.25.1). Esto eliminar\u00e1 el c\u00f3digo vulnerable de GeoServer, pero puede interrumpir algunas funciones de GeoServer o evitar que GeoServer se implemente si se necesita el m\u00f3dulo gt-complex."
}
],
"id": "CVE-2024-36401",
"lastModified": "2025-10-24T14:00:22.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T16:15:04.120",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"US Government Resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-95"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-34696
Vulnerability from fkie_nvd - Published: 2024-07-01 15:15 - Updated: 2024-11-21 09:19
Severity ?
4.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.
The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.
Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "779270D7-89BA-47CA-A5E5-4539668BC18E",
"versionEndExcluding": "2.24.4",
"versionStartIncluding": "2.10.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F63F5E42-FB6D-4264-BF8A-17DEB863054C",
"versionEndExcluding": "2.25.1",
"versionStartIncluding": "2.25.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer\u0027s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules\u0027 status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.\n\nThe `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator\u2019s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.\n\nUsers should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. A partir de la versi\u00f3n 2.10.0 y antes de las versiones 2.24.4 y 2.25.1, la p\u00e1gina Estado del servidor de GeoServer y la API REST enumeran todas las variables de entorno y propiedades de Java para cualquier usuario de GeoServer con derechos administrativos como parte del mensaje de estado de esos m\u00f3dulos. Estas variables/propiedades tambi\u00e9n pueden contener informaci\u00f3n confidencial, como contrase\u00f1as de bases de datos o keys/tokens API. Adem\u00e1s, muchas im\u00e1genes de contenedores de GeoServer desarrolladas por la comunidad \"exportan\" otras credenciales desde sus scripts de inicio como variables de entorno al proceso de GeoServer (\"java\"). El alcance preciso del problema depende de qu\u00e9 imagen de contenedor se utiliza y c\u00f3mo est\u00e1 configurada. El endpoint API \"acerca del estado\" que impulsa la p\u00e1gina Estado del servidor solo est\u00e1 disponible para los administradores. Dependiendo del entorno operativo, los administradores pueden tener acceso leg\u00edtimo a las credenciales de otras maneras, pero este problema anula controles m\u00e1s sofisticados (como el acceso sin barreras a secretos o cuentas de rol). De forma predeterminada, GeoServer solo permite el acceso API autenticado del mismo origen. Esto limita las posibilidades de que un atacante externo utilice las credenciales de un administrador para obtener acceso a las credenciales. Los investigadores que encontraron la vulnerabilidad no pudieron determinar otras condiciones bajo las cuales la API REST de GeoServer pueda estar disponible de manera m\u00e1s amplia. Los usuarios deben actualizar las im\u00e1genes del contenedor para usar GeoServer 2.24.4 o 2.25.1 para corregir el error. Como workaround, deje las variables de entorno y las propiedades del sistema Java ocultas de forma predeterminada. Quienes brinden la opci\u00f3n de volver a habilitarlo deben comunicar el impacto y los riesgos para que los usuarios puedan tomar una decisi\u00f3n informada."
}
],
"id": "CVE-2024-34696",
"lastModified": "2024-11-21T09:19:13.003",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T15:15:16.907",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2024-24749
Vulnerability from fkie_nvd - Published: 2024-07-01 14:15 - Updated: 2025-11-04 19:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F61A1B3A-DDBD-43E0-8475-BA567DD3528E",
"versionEndExcluding": "2.23.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "439481B7-67BD-4B52-AF19-FC54302116AF",
"versionEndExcluding": "2.24.3",
"versionStartIncluding": "2.24.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Antes de las versiones 2.23.5 y 2.24.3, si GeoServer se implementa en el sistema operativo Windows utilizando un servidor de aplicaciones web Apache Tomcat, es posible omitir la validaci\u00f3n de entrada existente en la clase GeoWebCache ByteStreamController y leer recursos de classpath arbitrarios con un nombre de archivo espec\u00edfico. extensiones. Si GeoServer tambi\u00e9n se implementa como un archivo web utilizando el directorio de datos integrado en el archivo `geoserver.war` (en lugar de un directorio de datos externo), probablemente ser\u00e1 posible leer recursos espec\u00edficos para obtener privilegios de administrador. Sin embargo, es muy poco probable que los entornos de producci\u00f3n utilicen el directorio de datos integrado ya que, dependiendo de c\u00f3mo se implemente GeoServer, se borrar\u00e1 y se reinstalar\u00e1 (lo que tambi\u00e9n restablecer\u00eda la contrase\u00f1a predeterminada) cada vez que se reinicie el servidor o cada vez que se instala un nuevo GeoServer WAR y por lo tanto es dif\u00edcil de mantener. Siempre se utilizar\u00e1 un directorio de datos externo si GeoServer se ejecuta en modo independiente (a trav\u00e9s de un instalador o un binario). Las versiones 2.23.5 y 2.24.3 contienen un parche para el problema. Algunas soluciones est\u00e1n disponibles. Se puede cambiar de un entorno Windows a un entorno Linux; o cambiar de Apache Tomcat al servidor de aplicaciones Jetty. Tambi\u00e9n se puede desactivar el acceso an\u00f3nimo a las p\u00e1ginas de estado y administraci\u00f3n de GeoWebCache integradas."
}
],
"id": "CVE-2024-24749",
"lastModified": "2025-11-04T19:16:57.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T14:15:05.350",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1211"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2024/Feb/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-21621 (GCVE-0-2025-21621)
Vulnerability from cvelistv5 – Published: 2025-11-25 21:52 – Updated: 2025-11-26 16:03
VLAI?
Title
GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T16:02:58.299745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T16:03:05.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim\u0027s browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T21:52:11.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72"
},
{
"name": "https://github.com/geoserver/geoserver/pull/7406",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/7406"
},
{
"name": "https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11297",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11297"
}
],
"source": {
"advisory": "GHSA-w66h-j855-qr72",
"discovery": "UNKNOWN"
},
"title": "GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-21621",
"datePublished": "2025-11-25T21:52:11.598Z",
"dateReserved": "2024-12-29T03:00:24.714Z",
"dateUpdated": "2025-11-26T16:03:05.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58360 (GCVE-0-2025-58360)
Vulnerability from cvelistv5 – Published: 2025-11-25 20:17 – Updated: 2025-12-12 04:55
VLAI?
Title
GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
Severity ?
8.2 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58360",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-11",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T04:55:42.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00+00:00",
"value": "CVE-2025-58360 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.2"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:17:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11682",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
}
],
"source": {
"advisory": "GHSA-fjf5-xgmq-5525",
"discovery": "UNKNOWN"
},
"title": "GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58360",
"datePublished": "2025-11-25T20:17:35.254Z",
"dateReserved": "2025-08-29T16:19:59.010Z",
"dateUpdated": "2025-12-12T04:55:42.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30220 (GCVE-0-2025-30220)
Vulnerability from cvelistv5 – Published: 2025-06-10 15:16 – Updated: 2025-06-10 17:13
VLAI?
Title
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
Severity ?
9.9 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T17:13:03.887707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:13:09.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.27.0, \u003c 2.27.1"
},
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:16:39.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8757",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
}
],
"source": {
"advisory": "GHSA-jj54-8f66-c5pc",
"discovery": "UNKNOWN"
},
"title": "GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30220",
"datePublished": "2025-06-10T15:16:39.339Z",
"dateReserved": "2025-03-18T18:15:13.851Z",
"dateUpdated": "2025-06-10T17:13:09.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30145 (GCVE-0-2025-30145)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:58 – Updated: 2025-06-10 15:16
VLAI?
Title
GeoServer has an Infinite Loop Vulnerability in Jiffle process
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
Severity ?
7.5 (High)
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:16:16.672596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:16:31.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:58:48.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf"
},
{
"name": "https://github.com/geosolutions-it/jai-ext/pull/307",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geosolutions-it/jai-ext/pull/307"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11778",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11778"
}
],
"source": {
"advisory": "GHSA-gr67-pwcv-76gf",
"discovery": "UNKNOWN"
},
"title": "GeoServer has an Infinite Loop Vulnerability in Jiffle process"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30145",
"datePublished": "2025-06-10T14:58:48.408Z",
"dateReserved": "2025-03-17T12:41:42.564Z",
"dateUpdated": "2025-06-10T15:16:31.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27505 (GCVE-0-2025-27505)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:52 – Updated: 2025-06-10 15:01
VLAI?
Title
GeoServer Missing Authorization on REST API Index
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:01:26.113408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:01:45.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:52:19.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5"
},
{
"name": "https://github.com/geoserver/geoserver/pull/8170",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/8170"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11664",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11664"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11776",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11776"
}
],
"source": {
"advisory": "GHSA-h86g-x8mm-78m5",
"discovery": "UNKNOWN"
},
"title": "GeoServer Missing Authorization on REST API Index"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27505",
"datePublished": "2025-06-10T14:52:19.499Z",
"dateReserved": "2025-02-26T18:11:52.305Z",
"dateUpdated": "2025-06-10T15:01:45.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40625 (GCVE-0-2024-40625)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:49 – Updated: 2025-06-10 14:55
VLAI?
Title
GeoServer Coverage REST API Allows Server Side Request Forgery
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
Severity ?
5.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:54:52.333248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:55:09.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals \u0027url\u0027) with no restrict. This vulnerability is fixed in 2.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:49:05.368Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11468",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11468"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11717",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11717"
}
],
"source": {
"advisory": "GHSA-r4hf-r8gj-jgw2",
"discovery": "UNKNOWN"
},
"title": "GeoServer Coverage REST API Allows Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40625",
"datePublished": "2025-06-10T14:49:05.368Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-06-10T14:55:09.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38524 (GCVE-0-2024-38524)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:43 – Updated: 2025-06-10 14:56
VLAI?
Title
GWC Home Page communicate version and revision information
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:56:50.768148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:56:58.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.2"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:43:04.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/issues/1344",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/issues/1344"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/pull/1345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1345"
},
{
"name": "https://github.com/geoserver/geoserver/pull/8189",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/8189"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11677",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11677"
}
],
"source": {
"advisory": "GHSA-jm79-7xhw-6f6f",
"discovery": "UNKNOWN"
},
"title": "GWC Home Page communicate version and revision information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38524",
"datePublished": "2025-06-10T14:43:04.590Z",
"dateReserved": "2024-06-18T16:37:02.728Z",
"dateUpdated": "2025-06-10T14:56:58.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34711 (GCVE-0-2024-34711)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:33 – Updated: 2025-06-10 15:08
VLAI?
Title
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
Severity ?
9.3 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:08:02.959639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:08:27.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:33:18.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
},
{
"name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
}
],
"source": {
"advisory": "GHSA-mc43-4fqr-c965",
"discovery": "UNKNOWN"
},
"title": "GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34711",
"datePublished": "2025-06-10T14:33:18.872Z",
"dateReserved": "2024-05-07T13:53:00.133Z",
"dateUpdated": "2025-06-10T15:08:27.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29198 (GCVE-0-2024-29198)
Vulnerability from cvelistv5 – Published: 2025-06-10 14:27 – Updated: 2025-06-17 19:12
VLAI?
Title
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
Summary
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:34:24.822105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T19:12:00.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:27:39.485Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11390",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11390"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11794",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11794"
}
],
"source": {
"advisory": "GHSA-5gw5-jccf-6hxw",
"discovery": "UNKNOWN"
},
"title": "GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29198",
"datePublished": "2025-06-10T14:27:39.485Z",
"dateReserved": "2024-03-18T17:07:00.095Z",
"dateUpdated": "2025-06-17T19:12:00.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35230 (GCVE-0-2024-35230)
Vulnerability from cvelistv5 – Published: 2024-12-16 22:18 – Updated: 2024-12-17 14:40
VLAI?
Title
Welcome and About GeoServer pages communicate version and revision information
Summary
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T14:39:46.671847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T14:40:36.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T22:18:19.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
},
{
"name": "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8"
},
{
"name": "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920"
}
],
"source": {
"advisory": "GHSA-6pfc-w86r-54q6",
"discovery": "UNKNOWN"
},
"title": "Welcome and About GeoServer pages communicate version and revision information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35230",
"datePublished": "2024-12-16T22:18:19.896Z",
"dateReserved": "2024-05-14T15:39:41.785Z",
"dateUpdated": "2024-12-17T14:40:36.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36401 (GCVE-0-2024-36401)
Vulnerability from cvelistv5 – Published: 2024-07-01 15:25 – Updated: 2025-10-21 22:56
VLAI?
Title
Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Severity ?
9.8 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.23.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.24.4",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.25.2",
"status": "affected",
"version": "2.25.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36401",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T03:55:17.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:56:21.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-15T00:00:00+00:00",
"value": "CVE-2024-36401 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.6"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
},
{
"status": "affected",
"version": "\u003c 2.22.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:55:46.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
}
],
"source": {
"advisory": "GHSA-6jj6-gm7p-fcvv",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36401",
"datePublished": "2024-07-01T15:25:41.873Z",
"dateReserved": "2024-05-27T15:59:57.030Z",
"dateUpdated": "2025-10-21T22:56:21.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34696 (GCVE-0-2024-34696)
Vulnerability from cvelistv5 – Published: 2024-07-01 14:36 – Updated: 2024-08-02 02:59
VLAI?
Title
GeoServer's Server Status shows sensitive environmental variables and Java properties
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.
The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.
Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice.
Severity ?
4.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T17:08:38.904497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T17:08:44.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer\u0027s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules\u0027 status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.\n\nThe `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator\u2019s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.\n\nUsers should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T14:36:05.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
}
],
"source": {
"advisory": "GHSA-j59v-vgcr-hxvf",
"discovery": "UNKNOWN"
},
"title": " GeoServer\u0027s Server Status shows sensitive environmental variables and Java properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34696",
"datePublished": "2024-07-01T14:36:05.084Z",
"dateReserved": "2024-05-07T13:53:00.131Z",
"dateUpdated": "2024-08-02T02:59:21.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24749 (GCVE-0-2024-24749)
Vulnerability from cvelistv5 – Published: 2024-07-01 14:07 – Updated: 2025-11-04 18:29
VLAI?
Title
Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:29:12.335Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/pull/1211",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1211"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef"
},
{
"url": "http://seclists.org/fulldisclosure/2024/Feb/13"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.23.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.24.3",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24749",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T14:42:13.755866Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T14:44:36.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.23.5"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions. If GeoServer is also deployed as a web archive using the data directory embedded in the `geoserver.war` file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary). Versions 2.23.5 and 2.24.3 contain a patch for the issue. Some workarounds are available. One may change from a Windows environment to a Linux environment; or change from Apache Tomcat to Jetty application server. One may also disable anonymous access to the embeded GeoWebCache administration and status pages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T14:07:33.314Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/pull/1211",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1211"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef"
}
],
"source": {
"advisory": "GHSA-jhqx-5v5g-mpf3",
"discovery": "UNKNOWN"
},
"title": "Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24749",
"datePublished": "2024-07-01T14:07:33.314Z",
"dateReserved": "2024-01-29T20:51:26.009Z",
"dateUpdated": "2025-11-04T18:29:12.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-21621 (GCVE-0-2025-21621)
Vulnerability from nvd – Published: 2025-11-25 21:52 – Updated: 2025-11-26 16:03
VLAI?
Title
GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-26T16:02:58.299745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-26T16:03:05.272Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim\u0027s browser through specially crafted SLD_BODY parameters. This issue has been patched in version 2.25.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T21:52:11.598Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-w66h-j855-qr72"
},
{
"name": "https://github.com/geoserver/geoserver/pull/7406",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/7406"
},
{
"name": "https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/dc9ff1c726dd73c884437a123b4ad72b19383c7d"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11297",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11297"
}
],
"source": {
"advisory": "GHSA-w66h-j855-qr72",
"discovery": "UNKNOWN"
},
"title": "GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-21621",
"datePublished": "2025-11-25T21:52:11.598Z",
"dateReserved": "2024-12-29T03:00:24.714Z",
"dateUpdated": "2025-11-26T16:03:05.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58360 (GCVE-0-2025-58360)
Vulnerability from nvd – Published: 2025-11-25 20:17 – Updated: 2025-12-12 04:55
VLAI?
Title
GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
Severity ?
8.2 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58360",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-12-11",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T04:55:42.921Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-58360"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00+00:00",
"value": "CVE-2025-58360 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.2"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:17:35.254Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11682",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11682"
}
],
"source": {
"advisory": "GHSA-fjf5-xgmq-5525",
"discovery": "UNKNOWN"
},
"title": "GeoServer is vulnerable to an Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58360",
"datePublished": "2025-11-25T20:17:35.254Z",
"dateReserved": "2025-08-29T16:19:59.010Z",
"dateUpdated": "2025-12-12T04:55:42.921Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30220 (GCVE-0-2025-30220)
Vulnerability from nvd – Published: 2025-06-10 15:16 – Updated: 2025-06-10 17:13
VLAI?
Title
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
Severity ?
9.9 (Critical)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T17:13:03.887707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:13:09.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.27.0, \u003c 2.27.1"
},
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:16:39.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8757",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
}
],
"source": {
"advisory": "GHSA-jj54-8f66-c5pc",
"discovery": "UNKNOWN"
},
"title": "GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30220",
"datePublished": "2025-06-10T15:16:39.339Z",
"dateReserved": "2025-03-18T18:15:13.851Z",
"dateUpdated": "2025-06-10T17:13:09.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30145 (GCVE-0-2025-30145)
Vulnerability from nvd – Published: 2025-06-10 14:58 – Updated: 2025-06-10 15:16
VLAI?
Title
GeoServer has an Infinite Loop Vulnerability in Jiffle process
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process.
Severity ?
7.5 (High)
CWE
- CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30145",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:16:16.672596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:16:31.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. This vulnerability is fixed in 2.27.0, 2.26.3, and 2.25.7. This vulnerability can be mitigated by disabling WMS dynamic styling and the Jiffle process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:58:48.408Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf"
},
{
"name": "https://github.com/geosolutions-it/jai-ext/pull/307",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geosolutions-it/jai-ext/pull/307"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11778",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11778"
}
],
"source": {
"advisory": "GHSA-gr67-pwcv-76gf",
"discovery": "UNKNOWN"
},
"title": "GeoServer has an Infinite Loop Vulnerability in Jiffle process"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30145",
"datePublished": "2025-06-10T14:58:48.408Z",
"dateReserved": "2025-03-17T12:41:42.564Z",
"dateUpdated": "2025-06-10T15:16:31.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27505 (GCVE-0-2025-27505)
Vulnerability from nvd – Published: 2025-06-10 14:52 – Updated: 2025-06-10 15:01
VLAI?
Title
GeoServer Missing Authorization on REST API Index
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:01:26.113408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:01:45.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. This vulnerability is fixed in 2.26.3 and 2.25.6. As a workaround, in ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:52:19.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5"
},
{
"name": "https://github.com/geoserver/geoserver/pull/8170",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/8170"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11664",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11664"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11776",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11776"
}
],
"source": {
"advisory": "GHSA-h86g-x8mm-78m5",
"discovery": "UNKNOWN"
},
"title": "GeoServer Missing Authorization on REST API Index"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27505",
"datePublished": "2025-06-10T14:52:19.499Z",
"dateReserved": "2025-02-26T18:11:52.305Z",
"dateUpdated": "2025-06-10T15:01:45.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-40625 (GCVE-0-2024-40625)
Vulnerability from nvd – Published: 2025-06-10 14:49 – Updated: 2025-06-10 14:55
VLAI?
Title
GeoServer Coverage REST API Allows Server Side Request Forgery
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
Severity ?
5.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-40625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:54:52.333248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:55:09.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals \u0027url\u0027) with no restrict. This vulnerability is fixed in 2.26.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:49:05.368Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11468",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11468"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11717",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11717"
}
],
"source": {
"advisory": "GHSA-r4hf-r8gj-jgw2",
"discovery": "UNKNOWN"
},
"title": "GeoServer Coverage REST API Allows Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-40625",
"datePublished": "2025-06-10T14:49:05.368Z",
"dateReserved": "2024-07-08T16:13:15.510Z",
"dateUpdated": "2025-06-10T14:55:09.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38524 (GCVE-0-2024-38524)
Vulnerability from nvd – Published: 2025-06-10 14:43 – Updated: 2025-06-10 14:56
VLAI?
Title
GWC Home Page communicate version and revision information
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:56:50.768148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:56:58.139Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.2"
},
{
"status": "affected",
"version": "\u003c 2.25.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:43:04.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/issues/1344",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/issues/1344"
},
{
"name": "https://github.com/GeoWebCache/geowebcache/pull/1345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/GeoWebCache/geowebcache/pull/1345"
},
{
"name": "https://github.com/geoserver/geoserver/pull/8189",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/pull/8189"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11677",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11677"
}
],
"source": {
"advisory": "GHSA-jm79-7xhw-6f6f",
"discovery": "UNKNOWN"
},
"title": "GWC Home Page communicate version and revision information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38524",
"datePublished": "2025-06-10T14:43:04.590Z",
"dateReserved": "2024-06-18T16:37:02.728Z",
"dateUpdated": "2025-06-10T14:56:58.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34711 (GCVE-0-2024-34711)
Vulnerability from nvd – Published: 2025-06-10 14:33 – Updated: 2025-06-10 15:08
VLAI?
Title
GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
Severity ?
9.3 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T15:08:02.959639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:08:27.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003c 2.25.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:33:18.872Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
},
{
"name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
}
],
"source": {
"advisory": "GHSA-mc43-4fqr-c965",
"discovery": "UNKNOWN"
},
"title": "GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34711",
"datePublished": "2025-06-10T14:33:18.872Z",
"dateReserved": "2024-05-07T13:53:00.133Z",
"dateUpdated": "2025-06-10T15:08:27.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29198 (GCVE-0-2024-29198)
Vulnerability from nvd – Published: 2025-06-10 14:27 – Updated: 2025-06-17 19:12
VLAI?
Title
GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost
Summary
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T14:34:24.822105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T19:12:00.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T14:27:39.485Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11390",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11390"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOS-11794",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOS-11794"
}
],
"source": {
"advisory": "GHSA-5gw5-jccf-6hxw",
"discovery": "UNKNOWN"
},
"title": "GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29198",
"datePublished": "2025-06-10T14:27:39.485Z",
"dateReserved": "2024-03-18T17:07:00.095Z",
"dateUpdated": "2025-06-17T19:12:00.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35230 (GCVE-0-2024-35230)
Vulnerability from nvd – Published: 2024-12-16 22:18 – Updated: 2024-12-17 14:40
VLAI?
Title
Welcome and About GeoServer pages communicate version and revision information
Summary
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-17T14:39:46.671847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-17T14:40:36.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T22:18:19.896Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
},
{
"name": "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8"
},
{
"name": "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920"
}
],
"source": {
"advisory": "GHSA-6pfc-w86r-54q6",
"discovery": "UNKNOWN"
},
"title": "Welcome and About GeoServer pages communicate version and revision information"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-35230",
"datePublished": "2024-12-16T22:18:19.896Z",
"dateReserved": "2024-05-14T15:39:41.785Z",
"dateUpdated": "2024-12-17T14:40:36.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36401 (GCVE-0-2024-36401)
Vulnerability from nvd – Published: 2024-07-01 15:25 – Updated: 2025-10-21 22:56
VLAI?
Title
Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Severity ?
9.8 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.23.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.24.4",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.25.2",
"status": "affected",
"version": "2.25.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36401",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T03:55:17.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:56:21.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-15T00:00:00+00:00",
"value": "CVE-2024-36401 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.6"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
},
{
"status": "affected",
"version": "\u003c 2.22.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:55:46.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
}
],
"source": {
"advisory": "GHSA-6jj6-gm7p-fcvv",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36401",
"datePublished": "2024-07-01T15:25:41.873Z",
"dateReserved": "2024-05-27T15:59:57.030Z",
"dateUpdated": "2025-10-21T22:56:21.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-34696 (GCVE-0-2024-34696)
Vulnerability from nvd – Published: 2024-07-01 14:36 – Updated: 2024-08-02 02:59
VLAI?
Title
GeoServer's Server Status shows sensitive environmental variables and Java properties
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.
The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.
Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice.
Severity ?
4.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34696",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T17:08:38.904497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T17:08:44.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:59:21.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer\u0027s Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules\u0027 status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured.\n\nThe `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator\u2019s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.\n\nUsers should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T14:36:05.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf"
}
],
"source": {
"advisory": "GHSA-j59v-vgcr-hxvf",
"discovery": "UNKNOWN"
},
"title": " GeoServer\u0027s Server Status shows sensitive environmental variables and Java properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-34696",
"datePublished": "2024-07-01T14:36:05.084Z",
"dateReserved": "2024-05-07T13:53:00.131Z",
"dateUpdated": "2024-08-02T02:59:21.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}