CVE-2023-41877: GeoServer log file path traversal vulnerability
First published: Wed Mar 20 2024(Updated: )
### Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the **Global Settings** for **log file location** to an arbitrary location. This can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files. ### Patches As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources. Interested parties are welcome to contact geoserver-security@lists.osgeo.org for recommendations on developing a fix. ### Workarounds A system administrator responsible for running GeoServer can define the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used. The ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter. Environmental variable: ```bash export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` System property: ```bash -DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` Web application ``WEB-INF/web.xml``: ```xml <context-param> <param-name> GEOSERVER_LOG_LOCATION </param-name> <param-value>/var/opt/geoserver/logs</param-value> </context-param> ``` Tomcat **conf/Catalina/localhost/geoserver.xml**: ```xml <Context> <Parameter name="GEOSERVER_LOG_LOCATION" value="/var/opt/geoserver/logs" override="false"/> </Context> ``` ### References * [Log location](https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location) (User Manual)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.geoserver:gs-main | <=2.23.4 | |
| Geoserver Geoserver | <=2.23.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/title
- agent/first-publish-date
- agent/type
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8g7v-vjrc-x4g5
- alias/CVE-2023-41877
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/event
- agent/author
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/trending
- package-manager/maven
- vendor/geoserver
- canonical/geoserver geoserver
- version/geoserver geoserver/2.23.4