CVE-2024-29198 | THREATINT

Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

PUBLISHED Reserved 2024-03-18 | Published 2025-06-10 | Updated 2025-06-17 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

>= 2.0.0, < 2.24.4

affected

>= 2.25.0, < 2.25.2

affected

References

github.com/...server/security/advisories/GHSA-5gw5-jccf-6hxw

osgeo-org.atlassian.net/browse/GEOS-11390

osgeo-org.atlassian.net/browse/GEOS-11794

cve.org (CVE-2024-29198)

nvd.nist.gov (CVE-2024-29198)

Download JSON