GHSA-JHQX-5V5G-MPF3

Vulnerability from github – Published: 2024-07-01 19:24 – Updated: 2025-11-04 22:15
VLAI?
Summary
Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat
Details

Impact

If GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions.

If GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary).

Patches

https://github.com/GeoWebCache/geowebcache/pull/1211

Workarounds

Change environment:

  • Change from Windows operating system. This vulnerability depends on Windows file paths so Linux and Mac OS are not vulnerable.
  • Change from Apache Tomcat application server. Jetty and WildFly are confirmed to not be vulnerable. Other application servers have not been tested and may be vulnerable.

Disable anonymous access to the embeded GeoWebCache administration and status pages:

  1. Navigate to Security > Authentication Page
  2. Locate Filter Chains heading
  3. Select the web filter filter chain (ant pattern /web/**,/gwc/rest/web/**,/)
  4. Remove ,/gwc/rest/web/** from the pattern (so that /web/**,/ is left).
  5. Save the changes

References

  • CVE-Pending
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.23.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.24.0"
            },
            {
              "fixed": "2.24.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-gwc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.23.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-gwc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.24.0"
            },
            {
              "fixed": "2.24.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24749"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-01T19:24:04Z",
    "nvd_published_at": "2024-07-01T14:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nIf GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions.\n\nIf GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges.  However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary).\n\n### Patches\n\nhttps://github.com/GeoWebCache/geowebcache/pull/1211\n\n### Workarounds\n\nChange environment:\n\n* Change from Windows operating system. This vulnerability depends on Windows file paths so Linux and Mac OS are not vulnerable.\n* Change from Apache Tomcat application server. Jetty and WildFly are confirmed to not be vulnerable. Other application servers have not been tested and may be vulnerable.\n\nDisable anonymous access to the embeded GeoWebCache administration and status pages:\n\n1. Navigate to **Security \u003e Authentication** Page\n2. Locate **Filter Chains** heading\n3. Select the ``web`` filter filter chain (ant pattern ``/web/**,/gwc/rest/web/**,/``)\n4. Remove ``,/gwc/rest/web/**`` from the pattern (so that ``/web/**,/`` is left).\n5. Save the changes\n\n### References\n\n* CVE-Pending",
  "id": "GHSA-jhqx-5v5g-mpf3",
  "modified": "2025-11-04T22:15:29Z",
  "published": "2024-07-01T19:24:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24749"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GeoWebCache/geowebcache/pull/1211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Feb/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.