Path Traversal Vulnerability in GeoServer Affects Administrator Trust
CVE-2023-41877
What is CVE-2023-41877?
A path traversal vulnerability exists in GeoServer, an open-source server designed for sharing and editing geospatial data. Administrators with access to the GeoServer admin console can inadvertently misconfigure the Global Settings related to log file locations, potentially allowing log files to be written to arbitrary locations. This misconfiguration exposes sensitive log data through the GeoServer Logs page. As the issue requires administrator access, it is particularly concerning as this access typically belongs to trusted individuals. Currently, no official patch is available for this vulnerability; however, it is suggested that administrators mitigate the risk by utilizing the GEOSERVER_LOG_FILE
setting to specify a secure log file location. This parameter can be configured as a system property, environment variable, or servlet context parameter, providing a temporary workaround until a permanent solution is provided.
Affected Version(s)
geoserver <= 2.23.4