Information disclosure in geoserver - CVE-2024-34696

 

Information disclosure in geoserver - CVE-2024-34696

Published: July 1, 2024 / Updated: May 5, 2026


Vulnerability identifier: #VU129744
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-34696
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: geoserver
Affected software:
geoserver

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the Server Status page and REST API endpoint when handling status requests. A remote privileged user can access the status message to disclose sensitive information.

User interaction is required, and the precise scope depends on the deployment environment and configuration.


How to mitigate CVE-2024-34696

Install security update from vendor's website.

Sources