GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.

This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:

Thanks to Ben Caradoc-Davies (Transient Software) for the maintenance release along with Jody Garnett (Boundless) and Andrea Aime (GeoSolutions) for the unscheduled patch releases provided above.

If you are running an earlier version of GeoServer and would like to generate a patch release please contact one of our commercial support providers, or join us on geoserver-devel to volunteer.

About XEE

For more information on XEE see owasp articles on XML External Entity Processing and XML External Entity Attack provided to geoserver-devel by Johannes Kröger.

Responsible Disclosure

If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:

  • Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)

  • Be prepared to work with Project Steering Committee (PSC) members on a solution

  • Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.

We will be revising the GeoServer Developers Guide to clarify in the coming days.