CVE-2024-38524

GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
VendorProductVersion
osgeogeoserver
𝑥
< 2.25.6
osgeogeoserver
2.26.0 ≤
𝑥
< 2.26.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/GeoWebCache/geowebcache/issues/1344
https://github.com/GeoWebCache/geowebcache/pull/1345
https://github.com/geoserver/geoserver/pull/8189
https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f
https://osgeo-org.atlassian.net/browse/GEOS-11677