GSA_kwCzR0hTQS0ycDc2LWdjNDYtNWZ2Y84ABI5z

High

Permalink JSON

GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

Affected Packages	Affected Versions	Fixed Versions
maven:org.geonetwork-opensource:gn-wfsfeature-harvester	>= 4.2.0, <= 4.2.12, >= 4.4.0, <= 4.4.7	4.2.13, 4.4.8

maven:org.geonetwork-opensource:gn-web-app	>= 4.2.0, <= 4.2.12, >= 4.4.0, <= 4.4.7	4.2.13, 4.4.8

Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

Patches

GeoNetwork 4.4.8 / 4.2.13.

Workarounds

Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.

References

GHSA-826p-4gcg-35vw
https://github.com/geonetwork/core-geonetwork/pull/8757
https://github.com/geonetwork/core-geonetwork/pull/8803
https://github.com/geonetwork/core-geonetwork/pull/8812

References:

https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
https://github.com/geonetwork/core-geonetwork/pull/8757
https://github.com/geonetwork/core-geonetwork/pull/8803
https://github.com/geonetwork/core-geonetwork/pull/8812
https://github.com/advisories/GHSA-2p76-gc46-5fvc

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS0ycDc2LWdjNDYtNWZ2Y84ABI5z

GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

Impact

Patches

Workarounds

References

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API