Miceg

**Name of the Vulnerable Software and Affected Versions** Fastapi OPA versions prior to 2.0.1 **Description** The issue allows unauthenticated attackers to discover which entities exist within an application by sending HTTP `OPTIONS` requests. This is because `OpaMiddleware` allows all HTTP `OPTIONS` requests without evaluating them against any policy. If an application provides different responses to HTTP `OPTIONS` requests based on an entity existing, an attacker could exploit this to gain information about the application's internal state. **Recommendations** For versions prior to 2.0.1, upgrade to release version 2.0.1 to address the issue. As a temporary workaround, consider restricting access to the `read item options` function or modifying the application to not provide different responses to HTTP `OPTIONS` requests based on entity existence. Avoid using the `Allow` header in the `read item options` function to indicate entity writability until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions 2.10.0 through 2.24.3 GeoServer versions 2.25.0 **Description** The issue concerns GeoServer's Server Status page and REST API, which list all environment variables and Java properties to any GeoServer user with administrative rights. These variables/properties can contain sensitive information, such as database passwords or API keys/tokens. The precise scope of the issue depends on the container image used and its configuration. The `about status` API endpoint, which powers the Server Status page, is only available to administrators. By default, GeoServer only allows same-origin authenticated API access, limiting the scope for a third-party attacker to use an administrator's credentials to gain access to credentials. **Recommendations** For GeoServer versions 2.10.0 through 2.24.3, update to version 2.24.4 to get the bug fix. For GeoServer version 2.25.0, update to version 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. If the option to re-enable it is provided, communicate the impact and risks so that users can make an informed choice. Container images should practice "defence in depth" to limit the impact when configured to show environment variables and/or properties. Pass secrets to the container as files or references to a secret stored in a cloud provider's metadata or secret management service. Ensure any configuration files with secrets are not readable by other users and clear all environment variables that contain secrets before starting GeoServer.