5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35230

GHSA ID

GHSA-6pfc-w86r-54q6

EPSS Score

0.14667%

CWE

CWE-200

Published

12/16/2024

Updated

12/17/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-35230

CVE-2024-35230:
Welcome and About GeoServer pages communicate version and revision information

Impact

The welcome and about page includes version and revision information about the software in use (including library and components used).

This information is sensitive from a security point of view because it allows software used by the server to be easily identified.

Proof of Concept

Welcome page footer:
<img width="432" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f">
About page build information.
<img width="401" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db">

Patches

No patch presently available.

Workarounds

No workaround available, although the ADMIN_CONSOLE can be disabled completely.

References

About GeoServer

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-35230

GHSA ID

GHSA-6pfc-w86r-54q6

EPSS Score

0.14667%

CWE

CWE-200

Published

12/16/2024

Updated

12/17/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver.web:gs-web-app	maven	>= 2.0.0, < 2.25.1	2.25.1
org.geoserver.web:gs-web-core	maven	>= 2.0.0, < 2.25.1	2.25.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in two UI components: 1) The welcome page footer (GeoServerHomePage) displayed version information to all users without authentication checks. 2) The About page (AboutGeoServerPage) constructor added version/revision labels without authorization checks. Commit 74fdab7 shows the footerMessage() was modified to hide version info from non-admins, and commit 8cd1590 reveals the About page build info was wrapped in admin-only visibility checks. The vulnerable versions lacked these protections, making these functions the exposure points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** w*l*om* *n* **out p*** in*lu**s v*rsion *n* r*vision in*orm*tion **out t** so*tw*r* in us* (in*lu*in* li*r*ry *n* *ompon*nts us**). T*is in*orm*tion is s*nsitiv* *rom * s**urity point o* vi*w ****us* it *llows so*tw*r* us** *y t** s*

Reasoning

T** vuln*r**ility m*ni**sts in two UI *ompon*nts: *) T** w*l*om* p*** *oot*r (`**oS*rv*r*om*P***`) *ispl*y** v*rsion in*orm*tion to *ll us*rs wit*out *ut**nti**tion ****ks. *) T** **out p*** (`**out**oS*rv*rP***`) *onstru*tor ***** v*rsion/r*vision l

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-35230: Welcome and About GeoServer pages communicate version and revision information

Impact

Proof of Concept

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-35230:
Welcome and About GeoServer pages communicate version and revision information

Vulnerability Intelligence
Miggo AI