CVE-2024-23634

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.23.5 and 2.24.2

Description An arbitrary file renaming issue exists, allowing an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in .zip. This issue can result in a denial of service, either by preventing GeoServer from running or by effectively deleting specific resources. The impact of renaming non-GeoServer files depends on the environment, but a denial of service is likely. The API endpoints involved are "http://localhost:8080/geoserver/rest/workspaces/a/coveragestores/b/external.geotiff" and "http://localhost:8080/geoserver/rest/workspaces/a/datastores/b/external.c". The Content-Type header is set to application/zip in the requests.

Recommendations For versions prior to 2.23.5, update to version 2.23.5 or later. For versions prior to 2.24.2, update to version 2.24.2 or later. As a temporary workaround, consider restricting access to the REST Coverage Store and Data Store API to minimize the risk of exploitation.