7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-24749

CVE-2024-24749: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

Impact

If GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCache ByteStreamController class and read arbitrary classpath resources with specific file name extensions.

If GeoServer is also deployed as a web archive using the data directory embedded in the geoserver.war file (rather than an external data directory), it will likely be possible to read specific resources to gain administrator privileges. However, it is very unlikely that production environments will be using the embedded data directory since, depending on how GeoServer is deployed, it will be erased and re-installed (which would also reset to the default password) either every time the server restarts or every time a new GeoServer WAR is installed and is therefore difficult to maintain. An external data directory will always be used if GeoServer is running in standalone mode (via an installer or a binary).

Patches

https://github.com/GeoWebCache/geowebcache/pull/1211

Workarounds

Change environment:

Change from Windows operating system. This vulnerability depends on Windows file paths so Linux and Mac OS are not vulnerable.
Change from Apache Tomcat application server. Jetty and WildFly are confirmed to not be vulnerable. Other application servers have not been tested and may be vulnerable.

Disable anonymous access to the embeded GeoWebCache administration and status pages:

Navigate to Security > Authentication Page
Locate Filter Chains heading
Select the web filter filter chain (ant pattern /web/**,/gwc/rest/web/**,/)
Remove ,/gwc/rest/web/** from the pattern (so that /web/**,/ is left).
Save the changes

References

CVE-Pending

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-24749

CVE-2024-24749:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.web:gs-web-app	maven	< 2.23.5	2.23.5
org.geoserver.web:gs-web-app	maven	>= 2.24.0, < 2.24.3	2.24.3
org.geoserver:gs-gwc	maven	< 2.23.5	2.23.5
org.geoserver:gs-gwc	maven	>= 2.24.0, < 2.24.3	2.24.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation in the ByteStreamController. The pre-patch getFileName() method: 1) Used request.getPathInfo() which doesn't account for URL encoding 2) Didn't properly handle Windows path separators (backslashes) 3) Performed substring operations without full URL decoding first. This allowed attackers to bypass validation using Windows-style paths and URL encoding. The patch in PR #1211 specifically addresses these issues by using URLDecoder on the full request URI, normalizing path separators, and implementing stricter path validation checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-24749: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

Impact

Patches

Workarounds

References

CVE-2024-24749:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2024-24749: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI