GHSA-8G7V-VJRC-X4G5

Vulnerability from github – Published: 2024-03-20 14:45 – Updated: 2024-03-20 15:44
VLAI?
Summary
GeoServer log file path traversal vulnerability
Details

Impact

This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.

This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.

Patches

As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.

Interested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix.

Workarounds

A system administrator responsible for running GeoServer can define the GEOSERVER_LOG_FILE parameter, preventing the global setting provided from being used.

The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variable, or servlet context parameter.

Environmental variable:

export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

System property:

-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

Web application WEB-INF/web.xml:

  <context-param>
    <param-name> GEOSERVER_LOG_LOCATION </param-name>
    <param-value>/var/opt/geoserver/logs</param-value>
  </context-param>

Tomcat conf/Catalina/localhost/geoserver.xml:

<Context>
  <Parameter name="GEOSERVER_LOG_LOCATION"
             value="/var/opt/geoserver/logs" override="false"/>
</Context>

References

Severity ?
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-main"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.23.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41877"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T14:45:21Z",
    "nvd_published_at": "2024-03-20T15:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis vulnerability requires GeoServer Administrator with access to the admin console  to misconfigured the **Global Settings** for **log file location** to an arbitrary location.\n\nThis can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.\n\n### Patches\n\nAs this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.\n\nInterested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix.\n\n### Workarounds\n\nA system administrator responsible for running GeoServer can define  the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used.\n\nThe ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter.\n\nEnvironmental variable:\n```bash\nexport GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs\n```\n\nSystem property:\n```bash\n-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs\n```\n\nWeb application ``WEB-INF/web.xml``:\n```xml\n  \u003ccontext-param\u003e\n    \u003cparam-name\u003e GEOSERVER_LOG_LOCATION \u003c/param-name\u003e\n    \u003cparam-value\u003e/var/opt/geoserver/logs\u003c/param-value\u003e\n  \u003c/context-param\u003e\n```\n\nTomcat **conf/Catalina/localhost/geoserver.xml**:\n```xml\n\u003cContext\u003e\n  \u003cParameter name=\"GEOSERVER_LOG_LOCATION\"\n             value=\"/var/opt/geoserver/logs\" override=\"false\"/\u003e\n\u003c/Context\u003e\n```\n\n### References\n\n* [Log location](https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location) (User Manual)\n",
  "id": "GHSA-8g7v-vjrc-x4g5",
  "modified": "2024-03-20T15:44:08Z",
  "published": "2024-03-20T14:45:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41877"
    },
    {
      "type": "WEB",
      "url": "https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoServer log file path traversal vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.