Path Traversal Vulnerability in GeoServer Affects Administrator Trust
CVE-2023-41877

7.2HIGH

Key Information:

Vendor

Geoserver

Status
Vendor
CVE Published:
20 March 2024

What is CVE-2023-41877?

A path traversal vulnerability exists in GeoServer, an open-source server designed for sharing and editing geospatial data. Administrators with access to the GeoServer admin console can inadvertently misconfigure the Global Settings related to log file locations, potentially allowing log files to be written to arbitrary locations. This misconfiguration exposes sensitive log data through the GeoServer Logs page. As the issue requires administrator access, it is particularly concerning as this access typically belongs to trusted individuals. Currently, no official patch is available for this vulnerability; however, it is suggested that administrators mitigate the risk by utilizing the GEOSERVER_LOG_FILE setting to specify a secure log file location. This parameter can be configured as a system property, environment variable, or servlet context parameter, providing a temporary workaround until a permanent solution is provided.

Affected Version(s)

geoserver <= 2.23.4

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.