CVE-2023-41877

Description

### Impact This vulnerability requires GeoServer Administrator with access to the admin console to misconfigured the **Global Settings** for **log file location** to an arbitrary location. This can be used to read files via the admin console **GeoServer Logs** page. It is also possible to leverage RCE or cause denial of service by overwriting key GeoServer files. ### Patches As this issue requires GeoServer administrators access, often representing a trusted party, the vulnerability has not yet attracted a volunteer or resources. Interested parties are welcome to contact [email protected] for recommendations on developing a fix. ### Workarounds A system administrator responsible for running GeoServer can define the ``GEOSERVER_LOG_FILE`` parameter, preventing the global setting provided from being used. The ``GEOSERVER_LOG_LOCATION`` parameter can be set as system property, environment variable, or servlet context parameter. Environmental variable: ```bash export GEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` System property: ```bash -DGEOSERVER_LOG_LOCATION=/var/opt/geoserver/logs ``` Web application ``WEB-INF/web.xml``: ```xml <context-param> <param-name> GEOSERVER_LOG_LOCATION </param-name> <param-value>/var/opt/geoserver/logs</param-value> </context-param> ``` Tomcat **conf/Catalina/localhost/geoserver.xml**: ```xml <Context> <Parameter name="GEOSERVER_LOG_LOCATION" value="/var/opt/geoserver/logs" override="false"/> </Context> ``` ### References * [Log location](https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location) (User Manual)

Affected packages (1)

• Maven/org.geoserver:gs-mainfrom 0, <= 2.23.4

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-41877
• PATCHhttps://github.com/geoserver/geoserver
• WEBhttps://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#log-location
• WEBhttps://github.com/geoserver/geoserver/security/advisories/GHSA-8g7v-vjrc-x4g5