CVE-2024-29198

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.24.4 GeoServer versions prior to 2.25.2

Description The issue allows for Service Side Request Forgery (SSRF) via the Demo request endpoint if the Proxy Base URL has not been set. This can be used by an unauthenticated user to enumerate internal networks and obtain sensitive data, particularly in cloud instances. The TestWfsPost servlet is involved in this issue.

Recommendations For GeoServer versions prior to 2.24.4, upgrade to GeoServer 2.24.4 to remove the TestWfsPost servlet and resolve the issue. For GeoServer versions prior to 2.25.2, upgrade to GeoServer 2.25.2 to remove the TestWfsPost servlet and resolve the issue. As a temporary workaround, consider setting the PROXY BASE URL property to a non-empty value that cannot be overridden by the user interface or incoming request when using GeoServer with a proxy. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file to add a security constraint that blocks access to the /TestWfsPost/* URL pattern.