Main Vulnerability Database Vulnerabilities #VU129768

XML External Entity injection in geoserver - CVE-2024-34711

Published: May 5, 2026

Vulnerability identifier: #VU129768

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-34711

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
geoserver

Software vendor:
geoserver

Description

The vulnerability allows a remote attacker to perform server-side request forgery and disclose limited information.

The vulnerability exists due to improper restriction of xml external entity reference in PreventLocalEntityResolver when processing XML entities with crafted external schema URIs. A remote attacker can send a specially crafted XML document to perform server-side request forgery and disclose limited information.

The issue can be abused to send GET requests to arbitrary HTTP servers, scan internal networks, and read limited .xsd files on the system.

Remediation

Install security update from vendor's website.

External links

https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965

XML External Entity injection in geoserver - CVE-2024-34711

Description

Remediation

External links

Please verify you're human