CVE-2024-24749

Name of the Vulnerable Software and Affected Versions: GeoServer versions prior to 2.23.5 and 2.24.3

Description: The issue is related to the GeoWebCache ByteStreamController class, where it is possible to bypass existing input validation and read arbitrary classpath resources with specific file name extensions. This can potentially allow an attacker to gain administrator privileges, especially if the GeoServer is deployed as a web archive using the embedded data directory. However, production environments are unlikely to be using the embedded data directory due to maintenance difficulties.

Recommendations: For versions prior to 2.23.5 and 2.24.3, update to version 2.23.5 or 2.24.3 to resolve the issue. As a temporary workaround, consider changing from a Windows environment to a Linux environment or from Apache Tomcat to Jetty application server. Additionally, disable anonymous access to the embedded GeoWebCache administration and status pages by navigating to Security > Authentication Page, locating the Filter Chains heading, selecting the web filter filter chain, removing /gwc/rest/web/** from the pattern, and saving the changes.