GHSA-2p76-gc46-5fvc – org.geonetwork-opensource:gn-wfsfeature-harvester

Package

Manager: maven
Name: org.geonetwork-opensource:gn-wfsfeature-harvester
Vulnerable Version: >=4.4.0 <4.4.8 || >=4.2.0 <4.2.13

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint ### Impact GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation. This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files ### Patches GeoNetwork 4.4.8 / 4.2.13. ### Workarounds Remove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer`` jars, disabling the WFS Index functionality. ### References - [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw) - https://github.com/geonetwork/core-geonetwork/pull/8757 - https://github.com/geonetwork/core-geonetwork/pull/8803 - https://github.com/geonetwork/core-geonetwork/pull/8812

Metadata

Created: 2025-06-10T20:10:42Z
Modified: 2025-06-10T20:10:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2p76-gc46-5fvc/GHSA-2p76-gc46-5fvc.json
CWE IDs: ["CWE-611", "CWE-918"]
Alternative ID: N/A
Finding: F083
Auto approve: 1