Plateforme
java
Composant
org.geoserver.web:gs-web-app
Corrigé dans
2.23.6
2.24.1
2.23.5
CVE-2024-24749 is a high-severity vulnerability affecting GeoServer versions before 2.23.5. This flaw allows attackers to bypass input validation within the GeoWebCache ByteStreamController class, enabling the reading of arbitrary classpath resources. The impact is particularly severe if GeoServer is deployed on Windows with Apache Tomcat and utilizes an embedded data directory, potentially leading to privilege escalation.
The core of this vulnerability lies in the insufficient input validation within GeoServer's GeoWebCache ByteStreamController. An attacker can craft specific requests to bypass these checks and access files within the GeoServer classpath. If GeoServer is deployed on Windows using Apache Tomcat and the data directory is embedded within the geoserver.war file (a common configuration in some environments), the attacker could potentially read sensitive configuration files or even executable code, leading to administrator privileges. This is a significant escalation of privileges, allowing an attacker to control the GeoServer instance and potentially the underlying system. The ability to read arbitrary files also presents a data exfiltration risk, exposing potentially sensitive geospatial data managed by GeoServer.
CVE-2024-24749 was publicly disclosed on July 1, 2024. There is currently no indication of active exploitation in the wild, and no public proof-of-concept (PoC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. Given the potential for privilege escalation, it is considered a high-priority vulnerability to address.
Organizations deploying GeoServer on Windows with Apache Tomcat, particularly those using embedded data directories, are at the highest risk. Legacy GeoServer installations and environments with limited security monitoring are also vulnerable. Shared hosting environments where GeoServer is deployed alongside other applications should be carefully assessed.
• linux / server:
find /opt/geoserver/ -name '*.class' -exec grep -i 'ByteStreamController' {} + | grep -i 'readfile' • java / server:
Examine GeoServer logs for unusual file access attempts, especially those targeting classpath resources. Look for patterns indicating attempts to read files outside of expected directories.
• generic web:
Use curl or wget to probe GeoServer endpoints and observe responses for unexpected file content or error messages related to file access.
disclosure
Statut de l'Exploit
EPSS
0.22% (percentile 44%)
Vecteur CVSS
The primary mitigation for CVE-2024-24749 is to upgrade GeoServer to version 2.23.5 or later. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, consider deploying GeoServer with an external data directory instead of an embedded one, as this significantly reduces the potential for privilege escalation. While a direct WAF rule is unlikely to be effective against this type of bypass, reviewing and hardening input validation routines within custom GeoServer extensions is recommended. Monitor GeoServer logs for unusual file access attempts, particularly those targeting classpath resources.
Actualice GeoServer a la versión 2.23.5 o 2.24.3 o superior. Como alternativa, cambie el entorno de Windows a Linux, o cambie el servidor de aplicaciones de Apache Tomcat a Jetty. También puede deshabilitar el acceso anónimo a las páginas de administración y estado de GeoWebCache integradas.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-24749 is a high-severity vulnerability in GeoServer versions before 2.23.5 that allows attackers to read arbitrary classpath resources by bypassing input validation, potentially leading to privilege escalation.
You are affected if you are running GeoServer versions prior to 2.23.5, especially if deployed on Windows with Apache Tomcat and using an embedded data directory.
Upgrade GeoServer to version 2.23.5 or later. If immediate upgrade is not possible, use an external data directory instead of an embedded one.
There is currently no indication of active exploitation in the wild or publicly available proof-of-concept code.
Refer to the official GeoServer security advisory on their website for detailed information and updates: [https://www.geoserver.org/news/security-advisory-2024-07-01.html](https://www.geoserver.org/news/security-advisory-2024-07-01.html)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.