Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Zzd2LXZqcmMteDRnNc4AA6JF
GeoServer log file path traversal vulnerability
Impact
This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.
This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.
Patches
As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.
Interested parties are welcome to contact [email protected] for recommendations on developing a fix.
Workarounds
A system administrator responsible for running GeoServer can define the GEOSERVER_LOG_FILE parameter, preventing the global setting provided from being used.
The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variable, or servlet context parameter.
Environmental variable:
export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs
System property:
-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs
Web application WEB-INF/web.xml:
<context-param>
<param-name> GEOSERVER_LOG_LOCATION </param-name>
<param-value>/var/opt/geoserver/logs</param-value>
</context-param>
Tomcat conf/Catalina/localhost/geoserver.xml:
<Context>
<Parameter name="GEOSERVER_LOG_LOCATION"
value="/var/opt/geoserver/logs" override="false"/>
</Context>
References
- Log location (User Manual)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Zzd2LXZqcmMteDRnNc4AA6JF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8g7v-vjrc-x4g5, CVE-2023-41877
References:
- https://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5
- https://nvd.nist.gov/vuln/detail/CVE-2023-41877
- https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location
- https://github.com/advisories/GHSA-8g7v-vjrc-x4g5
Blast Radius: 1.0
Affected Packages
maven:org.geoserver:gs-main
Affected Version Ranges: <= 2.23.4No known fixed version