CVE-2024-29198

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw	Mitigation Third Party Advisory
https://osgeo-org.atlassian.net/browse/GEOS-11390	Issue Tracking
https://osgeo-org.atlassian.net/browse/GEOS-11794	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:osgeo:geoserver::::::::
	cpe:2.3:a:osgeo:geoserver::::::::

History

26 Aug 2025, 16:25

Type	Values Removed	Values Added
CPE		cpe:2.3:a:osgeo:geoserver::::::::
References	~~() https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw -~~	() https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw - Mitigation, Third Party Advisory
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11390 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11390 - Issue Tracking
References	~~() https://osgeo-org.atlassian.net/browse/GEOS-11794 -~~	() https://osgeo-org.atlassian.net/browse/GEOS-11794 - Permissions Required
First Time		Osgeo geoserver Osgeo

12 Jun 2025, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 15:15

Updated : 2025-08-26 16:25

NVD link : CVE-2024-29198

Mitre link : CVE-2024-29198

CVE.ORG link : CVE-2024-29198

JSON object : View

Products Affected

osgeo

geoserver

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-29198", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "published": "2025-06-10T15:15:22.140", "references": [{"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11390", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://osgeo-org.atlassian.net/browse/GEOS-11794", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue."}, {"lang": "es", "value": "GeoServer es un servidor de software de c\u00f3digo abierto escrito en Java que permite a los usuarios compartir y editar datos geoespaciales. Es posible realizar Service Side Request Forgery (SSRF) a trav\u00e9s del endpoint de la solicitud de demostraci\u00f3n si no se ha configurado la URL base del proxy. La actualizaci\u00f3n a GeoServer 2.24.4 o 2.25.2 elimina el servlet TestWfsPost, lo que soluciona este problema."}], "lastModified": "2025-08-26T16:25:00.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF88E5A1-8701-48D6-9770-6AF7E83F9837", "versionEndExcluding": "2.24.4", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72B34DF6-4739-47A2-A8D0-9E63879F0858", "versionEndExcluding": "2.25.2", "versionStartIncluding": "2.25.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}