PT-2025-26488 — Org.Geonetwork-Opensource:Gn-Web-App+1

PT-2025-26488 · Maven · Org.Geonetwork-Opensource:Gn-Web-App+1

Published

2025-06-10

Updated

2025-06-10

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

Patches

GeoNetwork 4.4.8 / 4.2.13.

Workarounds

Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.

References

GHSA-826p-4gcg-35vw
https://github.com/geonetwork/core-geonetwork/pull/8757
https://github.com/geonetwork/core-geonetwork/pull/8803
https://github.com/geonetwork/core-geonetwork/pull/8812

Fix

XXE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611CWE-918

Related Identifiers

GHSA-2P76-GC46-5FVC

Affected Products

Org.Geonetwork-Opensource:Gn-Web-App

Org.Geonetwork-Opensource:Gn-Wfsfeature-Harvester