CVE-2024-40625
- Source
- https://cve.org/CVERecord?id=CVE-2024-40625
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40625.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-40625
- Aliases
- Published
- 2025-06-10T14:49:05.368Z
- Modified
- 2026-04-10T05:15:24.802400Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
- Summary
- GeoServer Coverage REST API Allows Server Side Request Forgery
- Details
-
GeoServer is an open source server that allows users to share and edit geospatial data. The Coverage rest api /workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format} allows attackers to upload files with a specified url (with {method} equals 'url') with no restrict. This vulnerability is fixed in 2.26.0.
- Database specific
{ "cwe_ids": [ "CWE-918" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40625.json", "cna_assigner": "GitHub_M" }- References
-
- https://osgeo-org.atlassian.net/browse/GEOS-11468
- https://osgeo-org.atlassian.net/browse/GEOS-11717
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/40xxx/CVE-2024-40625.json
- https://github.com/geoserver/geoserver/security/advisories/GHSA-r4hf-r8gj-jgw2
- https://nvd.nist.gov/vuln/detail/CVE-2024-40625