CVE-2024-34711

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities
https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965

Configurations

No configuration.

History

12 Jun 2025, 16:06

Type	Values Removed	Values Added
Summary		(es) GeoServer es un servidor de código abierto que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de validación de URI incorrecta que permite a un atacante no autorizado realizar un ataque de Entidades Externas XML (XEE) y enviar una solicitud GET a cualquier servidor HTTP. De forma predeterminada, GeoServer utiliza la clase PreventLocalEntityResolver de GeoTools para filtrar URI maliciosos en entidades XML antes de resolverlos. El URI debe coincidir con la expresión regular (?i)(jar:file\|http\|vfs)[^?#;]*\\.xsd. Sin embargo, la expresión regular permite a los atacantes realizar solicitudes a cualquier servidor HTTP o archivo limitado. Un atacante puede aprovechar esto para escanear redes internas, obtener información sobre ellas y luego explotarla. GeoServer 2.25.0 y versiones posteriores utilizan ENTITY_RESOLUTION_ALLOWLIST de forma predeterminada y no requieren que se proporcione una propiedad del sistema.

10 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 15:15

Updated : 2025-06-12 16:06

NVD link : CVE-2024-34711

Mitre link : CVE-2024-34711

CVE.ORG link : CVE-2024-34711

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-611

Improper Restriction of XML External Entity Reference

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-34711", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2025-06-10T15:15:22.710", "references": [{"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities", "source": "security-advisories@github.com"}, {"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-mc43-4fqr-c965", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-611"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property."}, {"lang": "es", "value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Existe una vulnerabilidad de validaci\u00f3n de URI incorrecta que permite a un atacante no autorizado realizar un ataque de Entidades Externas XML (XEE) y enviar una solicitud GET a cualquier servidor HTTP. De forma predeterminada, GeoServer utiliza la clase PreventLocalEntityResolver de GeoTools para filtrar URI maliciosos en entidades XML antes de resolverlos. El URI debe coincidir con la expresi\u00f3n regular (?i)(jar:file|http|vfs)[^?#;]*\\\\.xsd. Sin embargo, la expresi\u00f3n regular permite a los atacantes realizar solicitudes a cualquier servidor HTTP o archivo limitado. Un atacante puede aprovechar esto para escanear redes internas, obtener informaci\u00f3n sobre ellas y luego explotarla. GeoServer 2.25.0 y versiones posteriores utilizan ENTITY_RESOLUTION_ALLOWLIST de forma predeterminada y no requieren que se proporcione una propiedad del sistema."}], "lastModified": "2025-06-12T16:06:39.330", "sourceIdentifier": "security-advisories@github.com"}

9.3 /10