Information disclosure in geoserver - CVE-2024-38524
Published: May 5, 2026
Vulnerability identifier: #VU129767
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-38524
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
geoserver
geoserver
Software vendor:
geoserver
geoserver
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the GeoWebCache home page when handling requests to the front page endpoint. A remote attacker can send a request to the GeoWebCache home page to disclose sensitive information.
The exposed information may include version and revision details, configuration file and storage locations, the system temp directory location, operating system hints, approximate server start time, and basic GeoWebCache usage information.
Remediation
Install security update from vendor's website.