Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8g7v-vjrc-x4g5: GeoServer log file path traversal vulnerability

Impact

This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.

This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.

Patches

As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.

Interested parties are welcome to contact [email protected] for recommendations on developing a fix.

Workarounds

A system administrator responsible for running GeoServer can define the GEOSERVER_LOG_FILE parameter, preventing the global setting provided from being used.

The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variable, or servlet context parameter.

Environmental variable:

export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

System property:

-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

Web application WEB-INF/web.xml:

  <context-param>
    <param-name> GEOSERVER_LOG_LOCATION </param-name>
    <param-value>/var/opt/geoserver/logs</param-value>
  </context-param>

Tomcat conf/Catalina/localhost/geoserver.xml:

<Context>
  <Parameter name="GEOSERVER_LOG_LOCATION"
             value="/var/opt/geoserver/logs" override="false"/>
</Context>

References

ghsa
#vulnerability#web#dos#git#java#rce#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-41877

GeoServer log file path traversal vulnerability

High severity GitHub Reviewed Published Mar 19, 2024 in geoserver/geoserver • Updated Mar 20, 2024

Package

maven org.geoserver:gs-main (Maven)

Affected versions

<= 2.23.4

Impact

This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.

This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.

Patches

As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.

Interested parties are welcome to contact [email protected] for recommendations on developing a fix.

Workarounds

A system administrator responsible for running GeoServer can define the GEOSERVER_LOG_FILE parameter, preventing the global setting provided from being used.

The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variable, or servlet context parameter.

Environmental variable:

export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

System property:

-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

Web application WEB-INF/web.xml:

<context-param> <param-name> GEOSERVER_LOG_LOCATION </param-name> <param-value>/var/opt/geoserver/logs</param-value> </context-param>

Tomcat conf/Catalina/localhost/geoserver.xml:

<Context> <Parameter name="GEOSERVER_LOG_LOCATION" value="/var/opt/geoserver/logs" override="false"/> </Context>

References

  • Log location (User Manual)

References

  • GHSA-8g7v-vjrc-x4g5
  • https://nvd.nist.gov/vuln/detail/CVE-2023-41877
  • https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location

Published to the GitHub Advisory Database

Mar 20, 2024

Last updated

Mar 20, 2024

ghsa: Latest News

GHSA-hxf5-99xg-86hw: cap-std doesn't fully sandbox all the Windows device filenames