CVE-2024-23634: GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API
An arbitrary file renaming vulnerability exists that enables an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in “.zip”.
References
- github.com/advisories/GHSA-75m5-hh4r-q9gx
- github.com/geoserver/geoserver
- github.com/geoserver/geoserver/commit/5d6af2f8ba9ad7dffae59575504a867159698772
- github.com/geoserver/geoserver/commit/c37f58fbacdfa0d581a6f99195585f70b1201f0a
- github.com/geoserver/geoserver/pull/7289
- github.com/geoserver/geoserver/security/advisories/GHSA-75m5-hh4r-q9gx
- nvd.nist.gov/vuln/detail/CVE-2024-23634
- osgeo-org.atlassian.net/browse/GEOS-11213
Code Behaviors & Features
Detect and mitigate CVE-2024-23634 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →