Main Vulnerability Database Vulnerabilities #VU129770

Server-Side Request Forgery (SSRF) in geoserver - CVE-2024-29198

Published: May 5, 2026

Vulnerability identifier: #VU129770

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-29198

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
geoserver

Software vendor:
geoserver

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the TestWfsPost demo request endpoint when handling user-supplied requests. A remote attacker can send a specially crafted request to disclose sensitive information.

Exploitation is possible if Proxy Base URL has not been set, and it may be used to enumerate internal networks.

Remediation

Install security update from vendor's website.

External links

https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw
https://osgeo-org.atlassian.net/browse/GEOS-11794

Server-Side Request Forgery (SSRF) in geoserver - CVE-2024-29198

Description

Remediation

External links

Please verify you're human