CVE-2024-34711
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osgeo | geoserver | to 2.25.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform network scanning and reconnaissance of your internal network through SSRF, read restricted .xsd schema files on your system, and potentially use the gathered information to launch further attacks. It can lead to information exposure and unauthorized access to internal resources without requiring any privileges or user interaction. [1]
Can you explain this vulnerability to me?
CVE-2024-34711 is a vulnerability in GeoServer where improper URI validation in XML processing allows an attacker to perform an XML External Entity (XXE) attack. This enables the attacker to send unauthorized GET requests to arbitrary HTTP servers (Server-Side Request Forgery, SSRF). The root cause is that the regex used to filter malicious URIs in XML entities is insufficiently restrictive, allowing attackers to access unintended HTTP endpoints or certain local .xsd schema files. This can be exploited to scan internal networks, gather sensitive information, and potentially escalate attacks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual XML External Entity (XXE) or Server-Side Request Forgery (SSRF) activity originating from GeoServer. Since the vulnerability allows unauthorized GET requests to arbitrary HTTP servers, network administrators can look for unexpected outbound HTTP requests from the GeoServer instance to internal or external hosts. Additionally, enabling detailed logging temporarily (using higher logging levels as per Resource 2) can help capture suspicious XML processing events. Specific commands are not provided in the resources, but general approaches include: 1) Reviewing GeoServer logs for unusual XML entity resolution attempts; 2) Using network monitoring tools (e.g., tcpdump, Wireshark) to capture outbound HTTP requests from the GeoServer server; 3) Searching logs or network captures for requests matching patterns of .xsd schema file access or unexpected HTTP GET requests. For example, a tcpdump command to monitor outbound HTTP traffic from GeoServer could be: `tcpdump -i <interface> host <geoserver_ip> and tcp port 80 or 443`. However, no explicit commands are detailed in the provided resources. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Upgrade GeoServer to version 2.25.0 or later, as these versions enable the ENTITY_RESOLUTION_ALLOWLIST by default, which restricts allowed external XML schema locations and prevents exploitation of the improper URI validation vulnerability. 2) If upgrading is not immediately possible, manually define the system property ENTITY_RESOLUTION_ALLOWLIST to include only trusted domains necessary for operation (e.g., www.w3.org, schemas.opengis.net, www.opengis.net, inspire.ec.europa.eu/schemas) to restrict external entity resolution. 3) In version 2.25.1 and later, regular expression support in ENTITY_RESOLUTION_ALLOWLIST was removed to enhance security, so ensure your configuration aligns with this. 4) Follow GeoServer production hardening best practices such as configuring logging appropriately, limiting service request sizes and features, applying role-based access control, and disabling unnecessary services or interfaces as described in Resource 2. 5) Consider disabling the web administration interface if not needed, and restrict anonymous access to sensitive pages. These steps collectively reduce the attack surface and prevent exploitation of the vulnerability. [1, 2]