GHSA-2p76-gc46-5fvc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2p76-gc46-5fvc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2p76-gc46-5fvc/GHSA-2p76-gc46-5fvc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2p76-gc46-5fvc
- Published
- 2025-06-10T20:10:42Z
- Modified
- 2025-06-10T20:10:42Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L CVSS Calculator
- Summary
- GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint
- Details
-
Impact
GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.
This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files
Patches
GeoNetwork 4.4.8 / 4.2.13.
Workarounds
Remove the
gn-wfsfeature-harvesterandgn-camelPeriodicProducerjars, disabling the WFS Index functionality.References
- GHSA-826p-4gcg-35vw
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- Database specific
{ "nvd_published_at": null, "severity": "HIGH", "github_reviewed_at": "2025-06-10T20:10:42Z", "github_reviewed": true, "cwe_ids": [ "CWE-611", "CWE-918" ] }- References
-
- https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
- https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- https://github.com/geonetwork/core-geonetwork
Affected packages
Maven / org.geonetwork-opensource:gn-web-app
Package
- Name
- org.geonetwork-opensource:gn-web-app
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geonetwork-opensource/gn-web-app
Maven / org.geonetwork-opensource:gn-web-app
Package
- Name
- org.geonetwork-opensource:gn-web-app
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geonetwork-opensource/gn-web-app
Maven / org.geonetwork-opensource:gn-wfsfeature-harvester
Package
- Name
- org.geonetwork-opensource:gn-wfsfeature-harvester
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geonetwork-opensource/gn-wfsfeature-harvester
Maven / org.geonetwork-opensource:gn-wfsfeature-harvester
Package
- Name
- org.geonetwork-opensource:gn-wfsfeature-harvester
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geonetwork-opensource/gn-wfsfeature-harvester