GeoServer CVE-2024-34711: SSRF via Improper ENTITY_RESOLUTION_ALLOWLIST Validation

### Critical Vulnerability Information #### Vulnerability Name Improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) #### Affected Versions - org.geoserver.main:gs-main (Maven): <2.25.0 - org.geoserver.web:gs-web-app:war (Maven): <2.25.0 #### Fixed Versions - org.geoserver.main:gs-main (Maven): 2.25.0 - org.geoserver.web:gs-web-app:war (Maven): 2.25.0 #### Vulnerability Description A vulnerability exists due to improper URI validation, allowing unauthorized attackers to perform XML External Entity (XEE) attacks, and subsequently send GET requests to any HTTP server. Attackers can exploit this to scan internal networks and gather information about them, which can then be further exploited. Additionally, attackers can read limited .xsd files on the system. #### Impact Unauthorized attackers can: 1. Scan internal networks to gather information about them and further exploit them. 2. Initiate SSRF attacks against endpoints ending with .xsd. 3. Read limited .xsd files on the system. #### Mitigation Measures 1. Define the system property ENTITY_RESOLUTION_ALLOWLIST to restrict supported external schema locations. 2. The built-in allowlist covers locations required for OGC Web service operations: www.w3.org, schemas.opengis.net, www.opengis.net, inspire.ec.europa.eu/schemas. 3. The user guide provides detailed instructions on how to add additional locations (this is where output formats are defined in the application mode plugin). #### Solution 1. GeoServer 2.25.0 and later versions default to using ENTITY_RESOLUTION_ALLOWLIST and do not require you to provide the system property. 2. If support for additional schema locations outside the built-in allowlist is needed, ENTITY_RESOLUTION_ALLOWLIST is still supported. 3. GeoServer 2.25.1 modified ENTITY_RESOLUTION_ALLOWLIST and no longer supports regular expressions. #### CVSS Score - Severity: Medium (6.5/10) - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: None - Availability: Low #### CVE ID CVE-2024-34711 #### Weaknesses - CWE-20 - CWE-200 - CWE-611 - CWE-918 #### Reporters - lemauanhphong - jodygarnett

Goal Reached Thanks to every supporter — we hit 100%!

GeoServer CVE-2024-34711: SSRF via Improper ENTITY_RESOLUTION_ALLOWLIST Validation

More from this source