Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qaHF4LTV2NWctbXBmM84AA9cq

Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

Impact

If GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions.

If GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary).

Patches

https://github.com/GeoWebCache/geowebcache/pull/1211

Workarounds

Change environment:

Disable anonymous access to the embeded GeoWebCache administration and status pages:

  1. Navigate to Security > Authentication Page
  2. Locate Filter Chains heading
  3. Select the web filter filter chain (ant pattern /web/**,/gwc/rest/web/**,/)
  4. Remove ,/gwc/rest/web/** from the pattern (so that /web/**,/ is left).
  5. Save the changes

References

Permalink: https://github.com/advisories/GHSA-jhqx-5v5g-mpf3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qaHF4LTV2NWctbXBmM84AA9cq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 13 days ago
Updated: 13 days ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-jhqx-5v5g-mpf3, CVE-2024-24749
References: Repository: https://github.com/geoserver/geoserver
Blast Radius: 1.0

Affected Packages

maven:org.geoserver:gs-gwc
Affected Version Ranges: >= 2.24.0, < 2.24.3, < 2.23.5
Fixed in: 2.24.3, 2.23.5
maven:org.geoserver.web:gs-web-app
Affected Version Ranges: >= 2.24.0, < 2.24.3, < 2.23.5
Fixed in: 2.24.3, 2.23.5