GHSA-JM79-7XHW-6F6F

Vulnerability from github – Published: 2025-06-10 14:14 – Updated: 2025-06-10 15:35
VLAI?
Summary
GWC Home Page communicate version and revision information
Details

Summary

The GeoWebCache home page includes version and revision information about the software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

Details

org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations.

PoC

Just open http://localhost:8080/geoserver/gwc/

Impact

In addition to exposing the version and revision information, the home page will expose the config file and storage locations which may expose the system's temp directory location and whether or not GeoServer is running in a Windows operating system. The approximate server start time and some basic GWC usage information is also exposed.

References

https://osgeo-org.atlassian.net/browse/GEOS-11677 https://github.com/geoserver/geoserver/pull/8189 https://github.com/GeoWebCache/geowebcache/issues/1344 https://github.com/GeoWebCache/geowebcache/pull/1345

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-gwc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.26.0"
            },
            {
              "fixed": "2.26.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver:gs-gwc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.25.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-38524"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-10T14:14:08Z",
    "nvd_published_at": "2025-06-10T15:15:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe GeoWebCache home page includes version and revision information about the software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified.\n\n### Details\norg.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations.\n\n### PoC\nJust open http://localhost:8080/geoserver/gwc/\n\n### Impact\nIn addition to exposing the version and revision information, the home page will expose the config file and storage locations which may expose the system\u0027s temp directory location and whether or not GeoServer is running in a Windows operating system. The approximate server start time and some basic GWC usage information is also exposed.\n\n### References\nhttps://osgeo-org.atlassian.net/browse/GEOS-11677\nhttps://github.com/geoserver/geoserver/pull/8189\nhttps://github.com/GeoWebCache/geowebcache/issues/1344\nhttps://github.com/GeoWebCache/geowebcache/pull/1345",
  "id": "GHSA-jm79-7xhw-6f6f",
  "modified": "2025-06-10T15:35:27Z",
  "published": "2025-06-10T14:14:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38524"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GeoWebCache/geowebcache/issues/1344"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GeoWebCache/geowebcache/pull/1345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/pull/8189"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    },
    {
      "type": "WEB",
      "url": "https://osgeo-org.atlassian.net/browse/GEOS-11677"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GWC Home Page communicate version and revision information"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.