GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.
This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:
If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:
Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)
Be prepared to work with Project Steering Committee (PSC) members on a solution
Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at firstname.lastname@example.org.
We will be revising the GeoServer Developers Guide to clarify in the coming days.