CVE-2023-28442

Name of the Vulnerable Software and Affected Versions GeoNode versions prior to 2.20.6 GeoNode versions prior to 2.19.6 GeoNode versions prior to 2.18.7

Description GeoNode is an open source platform that facilitates the creation, sharing, and collaborative use of geospatial data. Anonymous users can obtain sensitive information about GeoNode configurations from the response of the "/geoserver/rest/about/status" Geoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services. The issue impacts both GeoNode 3 and GeoNode 4 instances. Geoserver security configuration is provided by geoserver-geonode-ext.

Recommendations For versions prior to 2.20.6, update to version 2.20.6 or later. For versions prior to 2.19.6, update to version 2.19.6 or later. For versions prior to 2.18.7, update to version 2.18.7 or later. As a temporary workaround, consider restricting access to the "/geoserver/rest/about/status" endpoint until a patch is applied. For existing setups, apply the patch manually inside the Geoserver data directory by replacing the existing <geoserver datadir>/security/rest.properties file with the patched file.