GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.
This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:
If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:
Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)
Be prepared to work with Project Steering Committee (PSC) members on a solution
Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at firstname.lastname@example.org.
We will be revising the GeoServer Developers Guide to clarify in the coming days.
- FOSS4G 2018 GeoServer Developers Workshop
- GeoServer at FOSS4G 2017 Boston
- REST API Code Sprint Prep
- Nov 18th Bug Stomp
- Online GeoServer Bug Stomp - July 2016 Results
- Online GeoServer Bug Stomp
- GeoServer Explorer Plugin for QGIS
- New repository and release delay
- GeoServer FOSS4G 2015 Activities
- GeoServer 2.4.0 Release Highlights