GHSA-2p76-gc46-5fvc

Suggest an improvement
Source
https://github.com/advisories/GHSA-2p76-gc46-5fvc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2p76-gc46-5fvc/GHSA-2p76-gc46-5fvc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2p76-gc46-5fvc
Published
2025-06-10T20:10:42Z
Modified
2025-06-10T20:10:42Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
Summary
GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint
Details

Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

Patches

GeoNetwork 4.4.8 / 4.2.13.

Workarounds

Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.

References

  • GHSA-826p-4gcg-35vw
  • https://github.com/geonetwork/core-geonetwork/pull/8757
  • https://github.com/geonetwork/core-geonetwork/pull/8803
  • https://github.com/geonetwork/core-geonetwork/pull/8812
Database specific
{
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed_at": "2025-06-10T20:10:42Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-611",
        "CWE-918"
    ]
}
References

Affected packages

Maven / org.geonetwork-opensource:gn-web-app

Package

Name
org.geonetwork-opensource:gn-web-app
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/gn-web-app

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.8

Database specific

{
    "last_known_affected_version_range": "<= 4.4.7"
}

Maven / org.geonetwork-opensource:gn-web-app

Package

Name
org.geonetwork-opensource:gn-web-app
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/gn-web-app

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.13

Database specific

{
    "last_known_affected_version_range": "<= 4.2.12"
}

Maven / org.geonetwork-opensource:gn-wfsfeature-harvester

Package

Name
org.geonetwork-opensource:gn-wfsfeature-harvester
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/gn-wfsfeature-harvester

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.8

Database specific

{
    "last_known_affected_version_range": "<= 4.4.7"
}

Maven / org.geonetwork-opensource:gn-wfsfeature-harvester

Package

Name
org.geonetwork-opensource:gn-wfsfeature-harvester
View open source insights on deps.dev
Purl
pkg:maven/org.geonetwork-opensource/gn-wfsfeature-harvester

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.2.13

Database specific

{
    "last_known_affected_version_range": "<= 4.2.12"
}