CVE-2024-29198

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw
https://osgeo-org.atlassian.net/browse/GEOS-11390
https://osgeo-org.atlassian.net/browse/GEOS-11794

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) GeoServer es un servidor de software de código abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. Es posible realizar Service Side Request Forgery (SSRF) a través del endpoint de la solicitud de demostración si no se ha configurado la URL base del proxy. La actualización a GeoServer 2.24.4 o 2.25.2 elimina el servlet TestWfsPost, lo que soluciona este problema.

10 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 15:15

Updated : 2025-06-12 16:06

NVD link : CVE-2024-29198

Mitre link : CVE-2024-29198

CVE.ORG link : CVE-2024-29198

JSON object : View

Products Affected

No product.

CWE

CWE-918

Server-Side Request Forgery (SSRF)

7.5 /10