cvelistv5 - cve-2024-34711

CVE-2024-34711 (GCVE-0-2024-34711)

Vulnerability from cvelistv5 – Published: 2025-06-10 14:33 – Updated: 2025-06-10 15:08

Summary

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-611 - Improper Restriction of XML External Entity Reference
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/geoserver/geoserver/security/a…	x_refsource_CONFIRM
	https://docs.geoserver.org/latest/en/user/product…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	geoserver	geoserver	Affected: < 2.25.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34711",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-10T15:08:02.959639Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-10T15:08:27.117Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "geoserver",
          "vendor": "geoserver",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.25.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-10T14:33:18.872Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
        },
        {
          "name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
        }
      ],
      "source": {
        "advisory": "GHSA-mc43-4fqr-c965",
        "discovery": "UNKNOWN"
      },
      "title": "GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34711",
    "datePublished": "2025-06-10T14:33:18.872Z",
    "dateReserved": "2024-05-07T13:53:00.133Z",
    "dateUpdated": "2025-06-10T15:08:27.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34711\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-10T15:15:22.710\",\"lastModified\":\"2025-08-26T16:24:18.393\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.\"},{\"lang\":\"es\",\"value\":\"GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de validaci\u00f3n de URI incorrecta que permite a un atacante no autorizado realizar un ataque de Entidades Externas XML (XEE) y enviar una solicitud GET a cualquier servidor HTTP. De forma predeterminada, GeoServer utiliza la clase PreventLocalEntityResolver de GeoTools para filtrar URI maliciosos en entidades XML antes de resolverlos. El URI debe coincidir con la expresi\u00f3n regular (?i)(jar:file|http|vfs)[^?#;]*\\\\\\\\.xsd. Sin embargo, la expresi\u00f3n regular permite a los atacantes realizar solicitudes a cualquier servidor HTTP o archivo limitado. Un atacante puede aprovechar esto para escanear redes internas, obtener informaci\u00f3n sobre ellas y luego explotarla. GeoServer 2.25.0 y versiones posteriores utilizan ENTITY_RESOLUTION_ALLOWLIST de forma predeterminada y no requieren que se proporcione una propiedad del sistema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-611\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.25.0\",\"matchCriteriaId\":\"6112339F-79B4-4735-B2BE-345BE4F81FD4\"}]}]}],\"references\":[{\"url\":\"https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34711\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-10T15:08:02.959639Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-10T15:08:24.474Z\"}}], \"cna\": {\"title\": \"GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)\", \"source\": {\"advisory\": \"GHSA-mc43-4fqr-c965\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"geoserver\", \"product\": \"geoserver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.25.0\"}]}], \"references\": [{\"url\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965\", \"name\": \"https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities\", \"name\": \"https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-10T14:33:18.872Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34711\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-10T15:08:27.117Z\", \"dateReserved\": \"2024-05-07T13:53:00.133Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-10T14:33:18.872Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-MC43-4FQR-C965

Vulnerability from github – Published: 2025-06-10 14:13 – Updated: 2025-06-10 15:35

Summary

GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)

Details

Summary

An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited .xsd file on system.

Details

By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file.

Impact

An unauthenticated attacker can: 1. Scan internal network to gain insight about it and exploit further. 2. SSRF to endpoint ends with .xsd. 3. Read limited .xsd file on system.

Mitigation

Define the system property ENTITY_RESOLUTION_ALLOWLIST to limit the supported external schema locaitons.
The built-in allow list covers the locations required for the operation of OGC web services: www.w3.org,schemas.opengis.net,www.opengis.net,inspire.ec.europa.eu/schemas.
The user guide provides details on how to add additional locations (this is required for app-schema plugin where a schema is supplied to define an output format).

Resolution

GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
The use of ENTITY_RESOLUTION_ALLOWLIST is still supported if you require additional schema locations to be supported beyond the built-in allow list.
GeoServer 2.25.1 change ENTITY_RESOLUTION_ALLOWLIST no longer supports regular expressions

References

External Entities Resolution (GeoServer User Guide)

Credits

Le Mau Anh Phong from VNG Security Response Center & VNUHCM - University of Information Technology

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.main:gs-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-200",
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T14:13:44Z",
    "nvd_published_at": "2025-06-10T15:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nAn improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited `.xsd` file on system.\n\n### Details\nBy default, GeoServer use `PreventLocalEntityResolver` class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex `(?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd`. But the regex leaves a chance for attackers to request to any HTTP server or limited file.\n\n### Impact\n\nAn unauthenticated attacker can:\n1. Scan internal network to gain insight about it and exploit further.\n2. SSRF to endpoint ends with `.xsd`.\n3. Read limited `.xsd` file on system.\n\n### Mitigation\n\n1. Define the system property ``ENTITY_RESOLUTION_ALLOWLIST`` to limit the supported external schema locaitons.\n2. The built-in allow list covers the locations required for the operation of OGC web services: ``www.w3.org``,``schemas.opengis.net``,``www.opengis.net``,``inspire.ec.europa.eu/schemas``.\n3. The [user guide](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) provides details on how to add additional locations (this is required for app-schema plugin where a schema is supplied to define an output format).\n\n### Resolution \n\n1. GeoServer 2.25.0 and greater default to the use of ``ENTITY_RESOLUTION_ALLOWLIST`` and does not require you to provide a system property.\n2. The use of ``ENTITY_RESOLUTION_ALLOWLIST`` is still supported if you require additional schema locations to be supported beyond the built-in allow list.\n3. GeoServer 2.25.1 change ``ENTITY_RESOLUTION_ALLOWLIST `` no longer supports regular expressions\n\n### References\n\n* [External Entities Resolution](https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) (GeoServer User Guide)\n\n### Credits\n* Le Mau Anh Phong from VNG Security Response Center \u0026 VNUHCM - University of Information Technology",
  "id": "GHSA-mc43-4fqr-c965",
  "modified": "2025-06-10T15:35:23Z",
  "published": "2025-06-10T14:13:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34711"
    },
    {
      "type": "WEB",
      "url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoServer has improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF)"
}

WID-SEC-W-2025-1267

Vulnerability from csaf_certbund - Published: 2025-06-09 22:00 - Updated: 2025-06-09 22:00

Summary

GeoServer: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

GeoServer ist ein Open-Source-Server zum Teilen von Geodaten.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GeoServer ausnutzen, um Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "GeoServer ist ein Open-Source-Server zum Teilen von Geodaten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GeoServer ausnutzen, um Informationen offenzulegen oder Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1267 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1267.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1267 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1267"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-h86g-x8mm-78m5 vom 2025-06-09",
        "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-jm79-7xhw-6f6f vom 2025-06-09",
        "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-mc43-4fqr-c965 vom 2025-06-09",
        "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-r4hf-r8gj-jgw2 vom 2025-06-09",
        "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2"
      }
    ],
    "source_lang": "en-US",
    "title": "GeoServer: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-09T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-10T11:29:08.494+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1267",
      "initial_release_date": "2025-06-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-06-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.26.3",
                "product": {
                  "name": "Open Source GeoServer \u003c2.26.3",
                  "product_id": "T044445"
                }
              },
              {
                "category": "product_version",
                "name": "2.26.3",
                "product": {
                  "name": "Open Source GeoServer 2.26.3",
                  "product_id": "T044445-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.26.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.25.6",
                "product": {
                  "name": "Open Source GeoServer \u003c2.25.6",
                  "product_id": "T044446"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.6",
                "product": {
                  "name": "Open Source GeoServer 2.25.6",
                  "product_id": "T044446-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.25.6"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.26.2",
                "product": {
                  "name": "Open Source GeoServer \u003c2.26.2",
                  "product_id": "T044447"
                }
              },
              {
                "category": "product_version",
                "name": "2.26.2",
                "product": {
                  "name": "Open Source GeoServer 2.26.2",
                  "product_id": "T044447-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.26.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.25.0",
                "product": {
                  "name": "Open Source GeoServer \u003c2.25.0",
                  "product_id": "T044448"
                }
              },
              {
                "category": "product_version",
                "name": "2.25.0",
                "product": {
                  "name": "Open Source GeoServer 2.25.0",
                  "product_id": "T044448-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.25.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.26.0",
                "product": {
                  "name": "Open Source GeoServer \u003c2.26.0",
                  "product_id": "T044449"
                }
              },
              {
                "category": "product_version",
                "name": "2.26.0",
                "product": {
                  "name": "Open Source GeoServer 2.26.0",
                  "product_id": "T044449-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:geoserver:geoserver:2.26.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "GeoServer"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-34711",
      "product_status": {
        "known_affected": [
          "T044448"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2024-34711"
    },
    {
      "cve": "CVE-2024-38524",
      "product_status": {
        "known_affected": [
          "T044447",
          "T044446"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2024-38524"
    },
    {
      "cve": "CVE-2024-40625",
      "product_status": {
        "known_affected": [
          "T044449"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2024-40625"
    },
    {
      "cve": "CVE-2025-27505",
      "product_status": {
        "known_affected": [
          "T044445",
          "T044446"
        ]
      },
      "release_date": "2025-06-09T22:00:00.000+00:00",
      "title": "CVE-2025-27505"
    }
  ]
}

FKIE_CVE-2024-34711

Vulnerability from fkie_nvd - Published: 2025-06-10 15:15 - Updated: 2025-08-26 16:24

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities	Product
	security-advisories@github.com	https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965	Mitigation, Third Party Advisory

Impacted products

	Vendor	Product	Version
	osgeo	geoserver	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6112339F-79B4-4735-B2BE-345BE4F81FD4",
              "versionEndExcluding": "2.25.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property."
    },
    {
      "lang": "es",
      "value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de validaci\u00f3n de URI incorrecta que permite a un atacante no autorizado realizar un ataque de Entidades Externas XML (XEE) y enviar una solicitud GET a cualquier servidor HTTP. De forma predeterminada, GeoServer utiliza la clase PreventLocalEntityResolver de GeoTools para filtrar URI maliciosos en entidades XML antes de resolverlos. El URI debe coincidir con la expresi\u00f3n regular (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. Sin embargo, la expresi\u00f3n regular permite a los atacantes realizar solicitudes a cualquier servidor HTTP o archivo limitado. Un atacante puede aprovechar esto para escanear redes internas, obtener informaci\u00f3n sobre ellas y luego explotarla. GeoServer 2.25.0 y versiones posteriores utilizan ENTITY_RESOLUTION_ALLOWLIST de forma predeterminada y no requieren que se proporcione una propiedad del sistema."
    }
  ],
  "id": "CVE-2024-34711",
  "lastModified": "2025-08-26T16:24:18.393",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-06-10T15:15:22.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Third Party Advisory"
      ],
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-611"
        },
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-34711 (GCVE-0-2024-34711)

GHSA-MC43-4FQR-C965

Summary

Details

Impact

Mitigation

Resolution

References

Credits

WID-SEC-W-2025-1267

FKIE_CVE-2024-34711

Tags

Sightings

Nomenclature