CVE-2024-34711

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.25.0

Description An improper URI validation vulnerability exists in GeoServer, enabling an unauthorized attacker to perform XML External Entities (XEE) attacks and send GET requests to any HTTP server. By default, GeoServer uses the PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. However, the regex used leaves a chance for attackers to request any HTTP server or limited file, allowing them to scan internal networks, gain information, and exploit further. Attackers can also read limited .xsd files on the system.

Recommendations For GeoServer versions prior to 2.25.0, define the system property ENTITY RESOLUTION ALLOWLIST to limit the supported external schema locations. The built-in allow list covers the locations required for the operation of OGC web services. For additional locations, refer to the user guide for details on how to add them. For GeoServer 2.25.0 and greater, no action is required as these versions default to the use of ENTITY RESOLUTION ALLOWLIST.