CVE-2023-41877

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41877
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41877.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-41877
Aliases
Related
Published
2024-03-20T15:15:07Z
Modified
2025-01-08T03:31:54Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location. The admin console GeoServer Logs page provides a preview of these contents. As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not received a patch as of time of publication. As a workaround, a system administrator responsible for running GeoServer can use the GEOSERVER_LOG_FILE setting to override any configuration option provided by the Global Settings page. The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variables, or servlet context parameters.

References

Affected packages

Git / github.com/geoserver/geoserver

Affected ranges

Type
GIT
Repo
https://github.com/geoserver/geoserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
31f4807730bc3c65ebd6cf2cbda994e178cd3e86