Miggo Logo
Miggo Vulnerability Database
GHSA-2p76-gc46-5fvc

GHSA-2p76-gc46-5fvc: GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

8.2

CVSS Score
3.1

Basic Information

CVE ID
-
GHSA ID
GHSA-2p76-gc46-5fvc
EPSS Score
-
CWE
CWE-611
Published
6/10/2025
Updated
6/10/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.geonetwork-opensource:gn-web-appmaven>= 4.4.0, <= 4.4.74.4.8
org.geonetwork-opensource:gn-web-appmaven>= 4.2.0, <= 4.2.124.2.13
org.geonetwork-opensource:gn-wfsfeature-harvestermaven>= 4.4.0, <= 4.4.74.4.8
org.geonetwork-opensource:gn-wfsfeature-harvestermaven>= 4.2.0, <= 4.2.124.2.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an XML External Entity (XXE) injection flaw that occurs in the GeoTools library during schema validation when GeoNetwork's WFS Index functionality is used. The GeoNetwork application exposes this vulnerability through its WFS indexing REST API endpoints, which were initially not secured, allowing unauthenticated access.

The primary patch (commit d71e8348342ee3c6d38e5698e7abcf326fc9863d from PR #8757) addresses the lack of authentication on these endpoints. Specifically, it adds @PreAuthorize("hasAuthority('Editor')") annotations to the indexWfs and deleteWfs methods within the org.fao.geonet.harvester.wfsfeatures.WFSHarvesterApi class.

  1. org.fao.geonet.harvester.wfsfeatures.WFSHarvesterApi.indexWfs: This method is the most likely direct entry point for the XXE attack. It takes a WFSHarvesterParameter as a request body, which would contain the XML data. The XXE vulnerability in GeoTools is triggered during schema validation of this XML. The patch adding authentication confirms this method was an unsecured entry point.

  2. org.fao.geonet.harvester.wfsfeatures.WFSHarvesterApi.deleteWfs: This method was also patched to require authentication. While it might not be the primary vector for the XXE (as XXE usually occurs during parsing of complex XML input, more typical of an 'index' or 'create' operation), its inclusion in the security patch indicates it was an unsecured part of the vulnerable WFS Index functionality.

The other two pull requests (PR #8803 and PR #8812) and their associated commits (2906f9e1d5e84a3b254f725780c7966ae8dce3b4 and 2be40410defa92098a1f157be257aaefc9e351d9) involve updating the GeoTools library version in the pom.xml. This is the fix for the underlying XXE vulnerability within GeoTools itself.

Therefore, the GeoNetwork functions indexWfs and deleteWfs are identified as vulnerable because they were the unauthenticated gateways that allowed attackers to trigger the XXE flaw in the GeoTools dependency. The indexWfs function is the most direct route for exploitation as it handles the XML input that is subject to schema validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **oN*twork W*S In**x *un*tion*lity is *****t** *y **oTools XML *xt*rn*l *ntity (XX*) vuln*r**ility *urin* s***m* v*li**tion. T*is vuln*r**ility is p*rti*ul*rly s*v*r* *s t** R*ST *PI *n*point w*s not s**ur**, pot*nti*lly *llowin* un*ut*

Reasoning

T** vuln*r**ility is *n XML *xt*rn*l *ntity (XX*) inj**tion *l*w t**t o**urs in t** **oTools li*r*ry *urin* s***m* v*li**tion w**n **oN*twork's W*S In**x *un*tion*lity is us**. T** **oN*twork *ppli**tion *xpos*s t*is vuln*r**ility t*rou** its W*S in*