GHSA-8g7v-vjrc-x4g5

Suggest an improvement
Source
https://github.com/advisories/GHSA-8g7v-vjrc-x4g5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8g7v-vjrc-x4g5/GHSA-8g7v-vjrc-x4g5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8g7v-vjrc-x4g5
Aliases
  • CVE-2023-41877
Published
2024-03-20T14:45:21Z
Modified
2024-03-20T15:44:08Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
GeoServer log file path traversal vulnerability
Details

Impact

This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.

This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.

Patches

As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources.

Interested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix.

Workarounds

A system administrator responsible for running GeoServer can define the GEOSERVER_LOG_FILE parameter, preventing the global setting provided from being used.

The GEOSERVER_LOG_LOCATION parameter can be set as system property, environment variable, or servlet context parameter.

Environmental variable:

export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

System property:

-DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs

Web application WEB-INF/web.xml:

  <context-param>
    <param-name> GEOSERVER_LOG_LOCATION </param-name>
    <param-value>/var/opt/geoserver/logs</param-value>
  </context-param>

Tomcat conf/Catalina/localhost/geoserver.xml:

<Context>
  <Parameter name="GEOSERVER_LOG_LOCATION"
             value="/var/opt/geoserver/logs" override="false"/>
</Context>

References

Database specific
{
    "nvd_published_at": "2024-03-20T15:15:07Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T14:45:21Z"
}
References

Affected packages

Maven / org.geoserver:gs-main

Package

Name
org.geoserver:gs-main
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver/gs-main

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.23.4