CVE-2024-38524
MEDIUMGeoServer < 2.25.6 and 2.26.0-2.26.2 - Exposure of Sensitive Information via GeoWebCache Dispatcher
Title source: llmDescription
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/geoserver/geoserver/security/advisories/GHSA-jm79-7xhw-6f6f
Issue Tracking x_refsource_misc
https://github.com/GeoWebCache/geowebcache/issues/1344
Patch x_refsource_misc
https://github.com/GeoWebCache/geowebcache/pull/1345
Patch x_refsource_misc
https://github.com/geoserver/geoserver/pull/8189
Issue Tracking, Patch x_refsource_misc
https://osgeo-org.atlassian.net/browse/GEOS-11677
Scores
CVSS v3
5.3
EPSS
0.0037
EPSS Percentile
28.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (3)
org.geoserver/gs-gwc
2.26.0 - 2.26.2Maven
org.geoserver.web/gs-web-app
2.26.0 - 2.26.2Maven
osgeo/geoserver
< 2.25.6
Published
Jun 10, 2025
Tracked Since
Feb 18, 2026