GHSA-6pfc-w86r-54q6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6pfc-w86r-54q6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-6pfc-w86r-54q6/GHSA-6pfc-w86r-54q6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-6pfc-w86r-54q6
- Aliases
- Related
- Published
- 2024-12-16T22:18:29Z
- Modified
- 2024-12-17T14:38:08Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Welcome and About GeoServer pages communicate version and revision information
- Details
-
Impact
The welcome and about page includes version and revision information about the software in use (including library and components used).
This information is sensitive from a security point of view because it allows software used by the server to be easily identified.
Proof of Concept
Welcome page footer:
<img width="432" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f">
About page build information.
<img width="401" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db">
Patches
No patch presently available.
Workarounds
No workaround available, although the ADMIN_CONSOLE can be disabled completely.
References
- Database specific
{ "nvd_published_at": "2024-12-16T23:15:06Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-12-16T22:18:29Z" }- References
-
- https://github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6
- https://nvd.nist.gov/vuln/detail/CVE-2024-35230
- https://github.com/geoserver/geoserver/commit/5fd5f35ae176eff3cc4667a5cf48e4bf5dc4ea99
- https://github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8
- https://github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920
- https://github.com/geoserver/geoserver
Affected packages
Maven / org.geoserver.web:gs-web-app
Package
- Name
- org.geoserver.web:gs-web-app
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geoserver.web/gs-web-app
Maven / org.geoserver.web:gs-web-core
Package
- Name
- org.geoserver.web:gs-web-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.geoserver.web/gs-web-core