GHSA-6PFC-W86R-54Q6

Vulnerability from github – Published: 2024-12-16 22:18 – Updated: 2024-12-17 14:38
VLAI?
Summary
Welcome and About GeoServer pages communicate version and revision information
Details

Impact

The welcome and about page includes version and revision information about the software in use (including library and components used).

This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

Proof of Concept

  1. Welcome page footer:

image

  1. About page build information.

image

Patches

No patch presently available.

Workarounds

No workaround available, although the ADMIN_CONSOLE can be disabled completely.

References

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.25.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35230"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-16T22:18:29Z",
    "nvd_published_at": "2024-12-16T23:15:06Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe welcome and about page includes version and revision information about the software in use (including library and components used).\n\nThis information is sensitive from a security point of view because it allows software used by the server to be easily identified.\n\n### Proof of Concept\n\n1. Welcome page footer: \n   \n   \u003cimg width=\"432\" alt=\"image\" src=\"https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f\"\u003e\n\n2. About page *build information*. \n\n   \u003cimg width=\"401\" alt=\"image\" src=\"https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db\"\u003e\n\n### Patches\n\nNo patch presently available.\n\n### Workarounds\n\nNo workaround available, although the ADMIN_CONSOLE can be disabled completely.\n\n### References\n\n* [About GeoServer](https://docs.geoserver.org/latest/en/user/webadmin/about.html)\n",
  "id": "GHSA-6pfc-w86r-54q6",
  "modified": "2024-12-17T14:38:08Z",
  "published": "2024-12-16T22:18:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35230"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/commit/5fd5f35ae176eff3cc4667a5cf48e4bf5dc4ea99"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Welcome and About GeoServer pages communicate version and revision information"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.