CVE-2024-34696: GeoServer's Server Status shows sensitive environmental variables and Java properties

GeoServer’s Server Status page and REST API (at /geoserver/rest/about/status) lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules’ status message.

These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example:

• Data stores defined with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true) which need a password or access key.

• GeoServer’s official Docker image uses environment variables to configure PostgreSQL JNDI resources, including credentials (POSTGRES_HOST, POSTGRES_USERNAME, POSTGRES_PASSWORD)

Additionally, many community-developed GeoServer container images export other credentials from their start-up scripts as environment variables to the GeoServer (java) process, such as:

• GeoServer admin and master (root) passwords

• Tomcat management application password

• HTTPS/TLS certificate key store password

• AWS S3 bucket access keys

The precise scope of the issue depends on which container image is used and how it is configured.

[!NOTE] Some container images allow passing secrets as files (eg: POSTGRES_PASSWORD_FILE), or randomly generating passwords on start-up. While this is promoted as best-practice[^secret-files], if its start-up script exports these as environment variables to GeoServer, they are also impacted by this issue.