Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-6pfc-w86r-54q6: Welcome and About GeoServer pages communicate version and revision information

Impact

The welcome and about page includes version and revision information about the software in use (including library and components used).

This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

Proof of Concept

  1. Welcome page footer:

    <img width="432" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f">

  2. About page build information.

    <img width="401" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db">

Patches

No patch presently available.

Workarounds

No workaround available, although the ADMIN_CONSOLE can be disabled completely.

References

ghsa
#web#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-35230

Welcome and About GeoServer pages communicate version and revision information

Moderate severity GitHub Reviewed Published Dec 16, 2024 in geoserver/geoserver • Updated Dec 16, 2024

Package

maven org.geoserver.web:gs-web-app (Maven)

Affected versions

>= 2.0.0, < 2.25.1

maven org.geoserver.web:gs-web-core (Maven)

Impact

The welcome and about page includes version and revision information about the software in use (including library and components used).

This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

Proof of Concept

  1. Welcome page footer:

  2. About page build information.

Patches

No patch presently available.

Workarounds

No workaround available, although the ADMIN_CONSOLE can be disabled completely.

References

  • About GeoServer

References

  • GHSA-6pfc-w86r-54q6
  • geoserver/geoserver@5fd5f35

Published to the GitHub Advisory Database

Dec 16, 2024

Last updated

Dec 16, 2024

ghsa: Latest News

GHSA-cmwp-442x-3rcv: Piranha CMS Cross-site Scripting vulnerability