logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-41877 org.geoserver:gs-main

Package

Manager: maven
Name: org.geoserver:gs-main
Vulnerable Version: >=0 <=2.23.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01221 pctl0.78316

Details

GeoServer log file path traversal vulnerability ### Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the **Global Settings** for **log file location** to an arbitrary location. This can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files. ### Patches As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources. Interested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix. ### Workarounds A system administrator responsible for running GeoServer can define the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used. The ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter. Environmental variable: ```bash export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` System property: ```bash -DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` Web application ``WEB-INF/web.xml``: ```xml <context-param> <param-name> GEOSERVER_LOG_LOCATION </param-name> <param-value>/var/opt/geoserver/logs</param-value> </context-param> ``` Tomcat **conf/Catalina/localhost/geoserver.xml**: ```xml <Context> <Parameter name="GEOSERVER_LOG_LOCATION" value="/var/opt/geoserver/logs" override="false"/> </Context> ``` ### References * [Log location](https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location) (User Manual)

Metadata

Created: 2024-03-20T14:45:21Z
Modified: 2024-03-20T15:44:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-8g7v-vjrc-x4g5/GHSA-8g7v-vjrc-x4g5.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8g7v-vjrc-x4g5
Finding: F063
Auto approve: 1