SB2026050560 - Multiple vulnerabilities in geoserver

Description

This security bulletin contains information about 3 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2024-34696)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the Server Status page and REST API endpoint when handling status requests. A remote privileged user can access the status message to disclose sensitive information.

User interaction is required, and the precise scope depends on the deployment environment and configuration.

2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-40822)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the TestWfsPost endpoint when handling user-supplied requests to specific targets. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue is limited to specific targets, such as PHP + Nginx environments.

3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-29198)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the TestWfsPost demo request endpoint when handling user-supplied requests. A remote attacker can send a specially crafted request to disclose sensitive information.

Exploitation is possible if Proxy Base URL has not been set, and it may be used to enumerate internal networks.

Remediation

Install update from vendor's website.

References

• https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf
• https://github.com/geoserver/geoserver/security/advisories/GHSA-68cf-j696-wvv9
• https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw
• https://osgeo-org.atlassian.net/browse/GEOS-11794