Remote Execution Vulnerability
GeoServer has encountered an remote execution vulnerability in the REST API (used for remote administration).
This vulnerability GEOS-7124 is addressed in the following scheduled releases:
-
GeoServer 2.8.0 - stable
-
GeoServer 2.7.3 - maintenance
-
GeoServer 2.6.5 - archived
Thanks to Andrea Aime (GeoSolutions) and Kevin Smith (Boundless) for both fixing this issue and back porting to the stable and maintenance series.
Users are encouraged to upgrade, keeping in mind exposure to this issue is limited to scripts using administrator credentials to access the REST API. Accounts making use of gsconfig (Python Library) also make use of these facilities.
About Remote Execution
For more information see redhat security article on remote code execution via serialized data.
Responsible Disclosure
Thanks to Matthias Kaiser for reporting this issue.
If you encounter a security vulnerability in GeoServer (or any other open source software) please take care to report the issue in a responsible fashion:
-
Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)
-
Be prepared to work with Project Steering Committee (PSC) members on a solution
-
Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release