CVE-2024-38524

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.25.6 GeoServer versions prior to 2.26.2

Description The GeoWebCache home page includes version and revision information about the software in use, which is sensitive from a security point of view as it allows the software used by the server to be easily identified. The org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) function has no check to hide potentially sensitive information from users, except for a hidden system property to hide the storage locations that defaults to showing the locations. This exposes the config file and storage locations, which may reveal the system's temp directory location and whether or not GeoServer is running in a Windows operating system. Additionally, the approximate server start time and some basic GWC usage information is also exposed.

Recommendations For versions prior to 2.25.6, update to version 2.25.6 or later. For versions prior to 2.26.2, update to version 2.26.2 or later. As a temporary workaround, consider disabling the handleFrontPage function in org.geowebcache.GeoWebCacheDispatcher until a patch is available. Restrict access to the GeoWebCache home page to minimize the risk of exploitation.