CVE-2024-35230

Description

### Impact The welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. ### Proof of Concept 1. Welcome page footer: <img width="432" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/a7fd5151-55d5-432b-9d5d-79136833609f"> 2. About page *build information*. <img width="401" alt="image" src="https://github.com/geoserver/geoserver/assets/629681/59fcd8dd-eaee-4bf8-9578-a2a94b2864db"> ### Patches No patch presently available. ### Workarounds No workaround available, although the ADMIN_CONSOLE can be disabled completely. ### References * [About GeoServer](https://docs.geoserver.org/latest/en/user/webadmin/about.html)

How to fix CVE-2024-35230

To remediate CVE-2024-35230, upgrade the affected package to a fixed version below.

• —upgrade to 2.25.1 or later
• —upgrade to 2.25.1 or later

Is CVE-2024-35230 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 2.0.0, < 2.25.1
• >= 2.0.0, < 2.25.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-35230
• PATCHgithub.com/geoserver/geoserver
• WEBgithub.com/geoserver/geoserver/commit/5fd5f35ae176eff3cc4667a5cf48e4bf5dc4ea99
• WEBgithub.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8