SB2024031972 - Multiple vulnerabilities in geoserver
Published: March 19, 2024 Updated: May 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-24749)
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the GeoWebCache ByteStreamController class when handling crafted web resource requests on Windows deployments using Apache Tomcat. A remote attacker can send a specially crafted request to disclose sensitive information.
If GeoServer is deployed as a web archive with the data directory embedded in the geoserver.war file, specific disclosed resources may enable subsequent administrator privilege gain.
2) External Control of File Name or Path (CVE-ID: CVE-2024-23634)
The vulnerability allows a remote user to rename arbitrary files and directories, causing a denial of service.
The vulnerability exists due to external control of file name or path in the REST Coverage Store or Data Store API when using the external upload method. A remote privileged user can send a specially crafted upload request to rename arbitrary files and directories, causing a denial of service.
Successful exploitation is limited to file and directory names that do not end in ".zip".
3) Path traversal (CVE-ID: CVE-2023-41877)
The vulnerability allows a remote user to read arbitrary files, execute arbitrary code, or cause a denial of service.
The vulnerability exists due to path traversal in the Global Settings log file location and GeoServer Logs page when handling an administrator-configured log file path. A remote privileged user can set the log file location to an arbitrary path to read arbitrary files, execute arbitrary code, or cause a denial of service.
Exploitation requires access to the admin console to configure the log file location.
Remediation
Install update from vendor's website.
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3
- https://github.com/GeoWebCache/geowebcache/pull/1211
- https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx
- https://github.com/geoserver/geoserver/pull/7289
- https://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5