Sensitive Information Disclosure in GeoServer Versions
CVE-2024-35230

5.3MEDIUM

Key Information:

Vendor: Geoserver
Status: Geoserver
Vendor: CVE Published:; 16 December 2024

What is CVE-2024-35230?

CVE-2024-35230 is a critical vulnerability that affects GeoServer, an open-source Java-based server that facilitates the sharing and editing of geospatial data. The vulnerability stems from the exposure of version and revision details on the welcome and about pages of the affected software. This sensitive information can be exploited by attackers, allowing them to identify the specific libraries and components in use, which could heighten the risk of targeted attacks. Users of the affected versions are strongly advised to upgrade to GeoServer version 2.26.0 or later immediately, as no workarounds are available to mitigate this security concern. Protect your systems by ensuring you are running the latest version.

Affected Version(s)

geoserver >= 2.0.0, < 2.26.0

References

https://github.com/geoserver/geoserver/security/advisorie...

x_refsource_CONFIRM

https://github.com/geoserver/geoserver/commit/74fdab745a5...

x_refsource_MISC

https://github.com/geoserver/geoserver/commit/8cd1590a604...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2024

Geoserver

What is CVE-2024-35230?

Affected Version(s)

References

CVSS V3.1

Timeline