CVE-2024-34696

Name of the Vulnerable Software and Affected Versions GeoServer versions 2.10.0 through 2.24.3 GeoServer versions 2.25.0

Description The issue concerns GeoServer's Server Status page and REST API, which list all environment variables and Java properties to any GeoServer user with administrative rights. These variables/properties can contain sensitive information, such as database passwords or API keys/tokens. The precise scope of the issue depends on the container image used and its configuration. The about status API endpoint, which powers the Server Status page, is only available to administrators. By default, GeoServer only allows same-origin authenticated API access, limiting the scope for a third-party attacker to use an administrator's credentials to gain access to credentials.

Recommendations For GeoServer versions 2.10.0 through 2.24.3, update to version 2.24.4 to get the bug fix. For GeoServer version 2.25.0, update to version 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. If the option to re-enable it is provided, communicate the impact and risks so that users can make an informed choice. Container images should practice "defence in depth" to limit the impact when configured to show environment variables and/or properties. Pass secrets to the container as files or references to a secret stored in a cloud provider's metadata or secret management service. Ensure any configuration files with secrets are not readable by other users and clear all environment variables that contain secrets before starting GeoServer.