CVE-2024-32037
GeoNetwork search end-point information disclosure in response headers
Description
### Impact The search end-point response headers contain information about Elasticsearch software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified. ### Patches GeoNetwork 4.4.5 / 4.2.10 ### Workarounds None ### References - [CVE-2024-32037](https://www.cve.org/CVERecord?id=CVE-2024-32037) - [Search service](https://docs.geonetwork-opensource.org/4.4/api/search/) ### Credits - [Ministry of Economic Affairs and Climate Policy](https://www.rijksoverheid.nl/ministeries/ministerie-van-economische-zaken-en-klimaat), The Netherlands.
How to fix CVE-2024-32037
To remediate CVE-2024-32037, upgrade the affected package to a fixed version below.
- —upgrade to 4.4.5 or later
Is CVE-2024-32037 being exploited?
Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.4.0, < 4.4.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |