CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51445 – GeoServer Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API
https://notcve.org/view.php?id=CVE-2023-51445
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 2.23.3 and 2.24.0 that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources that will execute in the context of another administrator's browser when viewed in the REST Resources API. Access to the REST Resources API is limited to full administrators by default and granting non-administrators access to this endpoint should be carefully considered as it may allow access to files containing sensitive information. Versions 2.23.3 and 2.24.0 contain a patch for this issue. • https://github.com/geoserver/geoserver/commit/7db985738ff2422019ccac974cf547bae5770cad https://github.com/geoserver/geoserver/pull/7161 https://github.com/geoserver/geoserver/security/advisories/GHSA-fh7p-5f6g-vj2w https://osgeo-org.atlassian.net/browse/GEOS-11148 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-51444 – GeoServer arbitrary file upload vulnerability in REST Coverage Store API
https://notcve.org/view.php?id=CVE-2023-51444
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file upload vulnerability exists in versions prior to 2.23.4 and 2.24.1 that enables an authenticated administrator with permissions to modify coverage stores through the REST Coverage Store API to upload arbitrary file contents to arbitrary file locations which can lead to remote code execution. Coverage stores that are configured using relative paths use a GeoServer Resource implementation that has validation to prevent path traversal but coverage stores that are configured using absolute paths use a different Resource implementation that does not prevent path traversal. This vulnerability can lead to executing arbitrary code. An administrator with limited privileges could also potentially exploit this to overwrite GeoServer security files and obtain full administrator privileges. • https://github.com/geoserver/geoserver/commit/ca683170c669718cb6ad4c79e01b0451065e13b8 https://github.com/geoserver/geoserver/commit/fe235b3bb1d7f05751a4a2ef5390c36f5c9e78ae https://github.com/geoserver/geoserver/pull/7222 https://github.com/geoserver/geoserver/security/advisories/GHSA-9v5q-2gwq-q9hq https://osgeo-org.atlassian.net/browse/GEOS-11176 • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41877 – GeoServer log file path traversal vulnerability
https://notcve.org/view.php?id=CVE-2023-41877
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. A path traversal vulnerability in versions 2.23.4 and prior requires GeoServer Administrator with access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location. The admin console GeoServer Logs page provides a preview of these contents. As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not received a patch as of time of publication. As a workaround, a system administrator responsible for running GeoServer can use the `GEOSERVER_LOG_FILE` setting to override any configuration option provided by the Global Settings page. • https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location https://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35042
https://notcve.org/view.php?id=CVE-2023-35042
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version. • https://docs.geoserver.org/stable/en/user/services/wps/operations.html#execute https://isc.sans.edu/diary/29936 •
CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0CVE-2008-7227
https://notcve.org/view.php?id=CVE-2008-7227
PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors. PartialBufferOutputStream2 de GeoServer anterior a v1.6.1 y v1.7.0-beta1, intenta renovar los contenidos del búfer incluso cuando está trabajando un "búfer en memoria", esto evita que se muestren las excepciones en este servicio, lo que tiene un impacto y vectores de ataque desconocidos. • http://jira.codehaus.org/browse/GEOS-1747 http://osvdb.org/43266 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •