Tyler Sullivan

**Name of the Vulnerable Software and Affected Versions** GeoNetwork versions 3.4.0 through 3.12.0 GeoNetwork versions 4.0.0 through 4.0.3 **Description** A privileged attacker can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. This requires a User Administrator or Administrator account. The issue occurs in the `runBeforeScript` method in `harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java`. **Recommendations** For GeoNetwork versions 3.4.0 through 3.12.0, update to version 3.12.0 or later. For GeoNetwork versions 4.0.0 through 4.0.3, update to version 4.0.4 or later. As a temporary workaround, consider disabling the `runBeforeScript` method in the `LocalFilesystemHarvester` class until a patch is available.