CVE-2024-23634

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. An arbitrary file renaming vulnerability exists in versions prior to 2.23.5 and 2.24.2 that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. Store file uploads rename zip files to have a `.zip` extension if it doesn't already have one before unzipping the file. This is fine for file and url upload methods where the files will be in a specific subdirectory of the data directory but, when using the external upload method, this allows arbitrary files and directories to be renamed. Renaming GeoServer files will most likely result in a denial of service, either completely preventing GeoServer from running or effectively deleting specific resources (such as a workspace, layer or style). In some cases, renaming GeoServer files could revert to the default settings for that file which could be relatively harmless like removing contact information or have more serious consequences like allowing users to make OGC requests that the customized settings would have prevented them from making. The impact of renaming non-GeoServer files depends on the specific environment although some sort of denial of service is a likely outcome. Versions 2.23.5 and 2.24.2 contain a fix for this issue.

CVSS v3 6.0 MEDIUM

6.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772	Patch
https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a	Patch
https://github.com/geoserver/geoserver/pull/7289	Issue Tracking
https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx	Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOS-11213	Issue Tracking
https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772	Patch
https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a	Patch
https://github.com/geoserver/geoserver/pull/7289	Issue Tracking
https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx	Exploit Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOS-11213	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:geoserver:geoserver::::::::
	cpe:2.3:a:geoserver:geoserver::::::::

History

17 Dec 2024, 20:20

Type	Values Removed	Values Added
First Time		Geoserver geoserver Geoserver
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:geoserver:geoserver::::::::
References	~~() https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772 -~~	() https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772 - Patch
References	~~() https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a -~~	() https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a - Patch
References	~~() https://github.com/geoserver/geoserver/pull/7289 -~~	() https://github.com/geoserver/geoserver/pull/7289 - Issue Tracking
References	~~() https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx -~~	() https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx - Exploit, Vendor Advisory
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11213 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11213 - Issue Tracking

21 Nov 2024, 08:58

Type	Values Removed	Values Added
Summary		(es) GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de cambio de nombre de archivo arbitrario en versiones anteriores a 2.23.5 y 2.24.2 que permite a un administrador autenticado con permisos para modificar almacenes a través de la API de almacén de datos o almacén de cobertura REST cambiar el nombre de archivos y directorios arbitrarios con un nombre que no termina en ".zip". Las cargas de archivos del almacén cambian el nombre de los archivos zip para que tengan una extensión ".zip" si aún no la tienen antes de descomprimir el archivo. Esto está bien para los métodos de carga de archivos y URL donde los archivos estarán en un subdirectorio específico del directorio de datos pero, cuando se utiliza el método de carga externo, esto permite cambiar el nombre de archivos y directorios arbitrarios. Cambiar el nombre de los archivos de GeoServer probablemente resultará en una denegación de servicio, ya sea impidiendo por completo que GeoServer se ejecute o eliminando efectivamente recursos específicos (como un espacio de trabajo, una capa o un estilo). En algunos casos, cambiar el nombre de los archivos de GeoServer podría hacer que se vuelva a la configuración predeterminada de ese archivo, lo que podría ser relativamente inofensivo, como eliminar información de contacto, o tener consecuencias más graves, como permitir que los usuarios realicen solicitudes OGC que la configuración personalizada les habría impedido realizar. El impacto de cambiar el nombre de los archivos que no son de GeoServer depende del entorno específico, aunque es probable que se produzca algún tipo de denegación de servicio. Las versiones 2.23.5 y 2.24.2 contienen una solución para este problema.
References	~~() https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772 -~~	() https://github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772 -
References	~~() https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a -~~	() https://github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a -
References	~~() https://github.com/geoserver/geoserver/pull/7289 -~~	() https://github.com/geoserver/geoserver/pull/7289 -
References	~~() https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx -~~	() https://github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx -
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11213 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11213 -

20 Mar 2024, 17:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-20 16:15

Updated : 2024-12-17 20:20

NVD link : CVE-2024-23634

Mitre link : CVE-2024-23634

CVE.ORG link : CVE-2024-23634

JSON object : View

Products Affected

geoserver

geoserver

CWE

CWE-20

Improper Input Validation

CWE-73

External Control of File Name or Path

NVD-CWE-Other

6.0 /10