Platform
java
Component
org.geoserver.web:gs-web-app
Fixed in
2.23.6
2.24.1
2.23.5
CVE-2024-24749 is a high-severity vulnerability affecting GeoServer versions before 2.23.5. This flaw allows attackers to bypass input validation within the GeoWebCache ByteStreamController class, enabling the reading of arbitrary classpath resources. The impact is particularly severe if GeoServer is deployed on Windows with Apache Tomcat and utilizes an embedded data directory, potentially leading to privilege escalation.
The core of this vulnerability lies in the insufficient input validation within GeoServer's GeoWebCache ByteStreamController. An attacker can craft specific requests to bypass these checks and access files within the GeoServer classpath. If GeoServer is deployed on Windows using Apache Tomcat and the data directory is embedded within the geoserver.war file (a common configuration in some environments), the attacker could potentially read sensitive configuration files or even executable code, leading to administrator privileges. This is a significant escalation of privileges, allowing an attacker to control the GeoServer instance and potentially the underlying system. The ability to read arbitrary files also presents a data exfiltration risk, exposing potentially sensitive geospatial data managed by GeoServer.
CVE-2024-24749 was publicly disclosed on July 1, 2024. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. Given the potential for privilege escalation, it is considered a high-priority vulnerability to address.
Exploit Status
EPSS
0.22% (44% percentile)
CVSS Vector
The primary mitigation for CVE-2024-24749 is to upgrade GeoServer to version 2.23.5 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider deploying GeoServer with an external data directory instead of an embedded one, as this significantly reduces the potential for privilege escalation. While a direct WAF rule is unlikely to be effective against this type of bypass, reviewing and hardening input validation routines within custom GeoServer extensions is recommended. Monitor GeoServer logs for unusual file access attempts, particularly those targeting classpath resources.
Update GeoServer to version 2.23.5 or 2.24.3 or later. Alternatively, change the Windows environment to Linux, or change the Apache Tomcat application server to Jetty. You can also disable anonymous access to the integrated GeoWebCache administration and status pages.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-24749 is a high-severity vulnerability in GeoServer versions before 2.23.5 that allows attackers to read arbitrary classpath resources by bypassing input validation, potentially leading to privilege escalation.
You are affected if you are running GeoServer versions prior to 2.23.5, especially if deployed on Windows with Apache Tomcat and using an embedded data directory.
Upgrade GeoServer to version 2.23.5 or later. If immediate upgrade is not possible, use an external data directory instead of an embedded one.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the official GeoServer security advisory on their website for detailed information and updates: [https://www.geoserver.org/news/security-advisory-2024-07-01.html](https://www.geoserver.org/news/security-advisory-2024-07-01.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.