Skip to content

Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

High severity GitHub Reviewed Published Jul 1, 2024 in geoserver/geoserver • Updated Jul 1, 2024

Package

maven org.geoserver.web:gs-web-app (Maven)

Affected versions

< 2.23.5
>= 2.24.0, < 2.24.3

Patched versions

2.23.5
2.24.3
maven org.geoserver:gs-gwc (Maven)
< 2.23.5
>= 2.24.0, < 2.24.3
2.23.5
2.24.3

Description

Impact

If GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions.

If GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary).

Patches

GeoWebCache/geowebcache#1211

Workarounds

Change environment:

  • Change from Windows operating system. This vulnerability depends on Windows file paths so Linux and Mac OS are not vulnerable.
  • Change from Apache Tomcat application server. Jetty and WildFly are confirmed to not be vulnerable. Other application servers have not been tested and may be vulnerable.

Disable anonymous access to the embeded GeoWebCache administration and status pages:

  1. Navigate to Security > Authentication Page
  2. Locate Filter Chains heading
  3. Select the web filter filter chain (ant pattern /web/**,/gwc/rest/web/**,/)
  4. Remove ,/gwc/rest/web/** from the pattern (so that /web/**,/ is left).
  5. Save the changes

References

  • CVE-Pending

References

@jodygarnett jodygarnett published to geoserver/geoserver Jul 1, 2024
Published by the National Vulnerability Database Jul 1, 2024
Published to the GitHub Advisory Database Jul 1, 2024
Reviewed Jul 1, 2024
Last updated Jul 1, 2024

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS score

0.045%
(17th percentile)

Weaknesses

CVE ID

CVE-2024-24749

GHSA ID

GHSA-jhqx-5v5g-mpf3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.