CVE-2023-41877: GeoServer log file path traversal vulnerability

March 20, 2024

This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the Global Settings for log file location to an arbitrary location.

This can be used to read files via the admin console GeoServer Logs page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files.

References

docs.geoserver.org/latest/en/user/configuration/globalsettings.html
github.com/advisories/GHSA-8g7v-vjrc-x4g5
github.com/geoserver/geoserver
github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5
nvd.nist.gov/vuln/detail/CVE-2023-41877

Detect and mitigate CVE-2023-41877 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →