CVE-2023-41877
GeoServer log file path traversal vulnerability
Description
### Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the **Global Settings** for **log file location** to an arbitrary location. This can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files. ### Patches As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources. Interested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix. ### Workarounds A system administrator responsible for running GeoServer can define the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used. The ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter. Environmental variable: ```bash export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` System property: ```bash -DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` Web application ``WEB-INF/web.xml``: ```xml <context-param> <param-name> GEOSERVER_LOG_LOCATION </param-name> <param-value>/var/opt/geoserver/logs</param-value> </context-param> ``` Tomcat **conf/Catalina/localhost/geoserver.xml**: ```xml <Context> <Parameter name="GEOSERVER_LOG_LOCATION" value="/var/opt/geoserver/logs" override="false"/> </Context> ``` ### References * [Log location](https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location) (User Manual)
How to fix CVE-2023-41877
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2023-41877 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.