Plattform
java
Komponente
org.geoserver.web:gs-web-app
Behoben in
2.23.6
2.24.1
2.23.5
CVE-2024-24749 is a high-severity vulnerability affecting GeoServer versions before 2.23.5. This flaw allows attackers to bypass input validation within the GeoWebCache ByteStreamController class, enabling the reading of arbitrary classpath resources. The impact is particularly severe if GeoServer is deployed on Windows with Apache Tomcat and utilizes an embedded data directory, potentially leading to privilege escalation.
The core of this vulnerability lies in the insufficient input validation within GeoServer's GeoWebCache ByteStreamController. An attacker can craft specific requests to bypass these checks and access files within the GeoServer classpath. If GeoServer is deployed on Windows using Apache Tomcat and the data directory is embedded within the geoserver.war file (a common configuration in some environments), the attacker could potentially read sensitive configuration files or even executable code, leading to administrator privileges. This is a significant escalation of privileges, allowing an attacker to control the GeoServer instance and potentially the underlying system. The ability to read arbitrary files also presents a data exfiltration risk, exposing potentially sensitive geospatial data managed by GeoServer.
CVE-2024-24749 was publicly disclosed on July 1, 2024. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. Given the potential for privilege escalation, it is considered a high-priority vulnerability to address.
Organizations deploying GeoServer on Windows with Apache Tomcat, particularly those using embedded data directories, are at the highest risk. Legacy GeoServer installations and environments with limited security monitoring are also vulnerable. Shared hosting environments where GeoServer is deployed alongside other applications should be carefully assessed.
• linux / server:
find /opt/geoserver/ -name '*.class' -exec grep -i 'ByteStreamController' {} + | grep -i 'readfile' • java / server:
Examine GeoServer logs for unusual file access attempts, especially those targeting classpath resources. Look for patterns indicating attempts to read files outside of expected directories.
• generic web:
Use curl or wget to probe GeoServer endpoints and observe responses for unexpected file content or error messages related to file access.
disclosure
Exploit-Status
EPSS
0.22% (44% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-24749 is to upgrade GeoServer to version 2.23.5 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider deploying GeoServer with an external data directory instead of an embedded one, as this significantly reduces the potential for privilege escalation. While a direct WAF rule is unlikely to be effective against this type of bypass, reviewing and hardening input validation routines within custom GeoServer extensions is recommended. Monitor GeoServer logs for unusual file access attempts, particularly those targeting classpath resources.
Actualice GeoServer a la versión 2.23.5 o 2.24.3 o superior. Como alternativa, cambie el entorno de Windows a Linux, o cambie el servidor de aplicaciones de Apache Tomcat a Jetty. También puede deshabilitar el acceso anónimo a las páginas de administración y estado de GeoWebCache integradas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-24749 is a high-severity vulnerability in GeoServer versions before 2.23.5 that allows attackers to read arbitrary classpath resources by bypassing input validation, potentially leading to privilege escalation.
You are affected if you are running GeoServer versions prior to 2.23.5, especially if deployed on Windows with Apache Tomcat and using an embedded data directory.
Upgrade GeoServer to version 2.23.5 or later. If immediate upgrade is not possible, use an external data directory instead of an embedded one.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the official GeoServer security advisory on their website for detailed information and updates: [https://www.geoserver.org/news/security-advisory-2024-07-01.html](https://www.geoserver.org/news/security-advisory-2024-07-01.html)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.