Path Traversal Vulnerability in GeoServer Affects Administrator Trust
CVE-2023-41877

7.2HIGH

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 20 March 2024

What is CVE-2023-41877?

A path traversal vulnerability exists in GeoServer, an open-source server designed for sharing and editing geospatial data. Administrators with access to the GeoServer admin console can inadvertently misconfigure the Global Settings related to log file locations, potentially allowing log files to be written to arbitrary locations. This misconfiguration exposes sensitive log data through the GeoServer Logs page. As the issue requires administrator access, it is particularly concerning as this access typically belongs to trusted individuals. Currently, no official patch is available for this vulnerability; however, it is suggested that administrators mitigate the risk by utilizing the GEOSERVER_LOG_FILE setting to specify a secure log file location. This parameter can be configured as a system property, environment variable, or servlet context parameter, providing a temporary workaround until a permanent solution is provided.

Affected Version(s)

geoserver <= 2.23.4

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://docs.geoserver.org/latest/en/user/configuration/g...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2024
Vulnerability Reserved
Sep 4, 2023

Geoserver

What is CVE-2023-41877?

Affected Version(s)

References

CVSS V3.1

Timeline