Skip to main content

CVE-2024-34711: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in geoserver geoserver

Critical
VulnerabilityCVE-2024-34711cvecve-2024-34711cwe-200cwe-611cwe-918
Published: Tue Jun 10 2025 (06/10/2025, 14:33:18 UTC)
Source: CVE Database V5
Vendor/Project: geoserver
Product: geoserver

Description

GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.

AI-Powered Analysis

AILast updated: 07/11/2025, 04:18:57 UTC

Technical Analysis

CVE-2024-34711 is a critical vulnerability affecting GeoServer versions prior to 2.25.0. GeoServer is an open-source server platform used to share and edit geospatial data, widely utilized in geographic information systems (GIS) deployments. The vulnerability arises from improper URI validation in XML External Entity (XXE) processing. Specifically, GeoServer uses the PreventLocalEntityResolver class from GeoTools to filter potentially malicious URIs in XML entities before resolution. This filtering relies on a regex pattern intended to allow only certain URI schemes and file types (e.g., jar:file, http, vfs with .xsd extensions). However, the regex is insufficiently restrictive, allowing attackers to craft XML payloads that cause the server to send GET requests to arbitrary HTTP servers. This can be abused to perform internal network reconnaissance by scanning internal hosts and services that are otherwise inaccessible externally. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information), CWE-611 (Improper Restriction of XML External Entity Reference), and CWE-918 (Server-Side Request Forgery). Exploitation requires no authentication or user interaction and can lead to significant confidentiality breaches by exposing internal network topology and services. GeoServer 2.25.0 and later mitigate this issue by defaulting to an ENTITY_RESOLUTION_ALLOWLIST approach, which restricts entity resolution more securely and does not require additional configuration. The CVSS v3.1 score is 9.3 (critical), reflecting the network attack vector, low complexity, no privileges or user interaction required, and high confidentiality impact with partial integrity impact but no availability impact. No known exploits are reported in the wild yet, but the vulnerability's nature and severity warrant immediate attention.

Potential Impact

For European organizations, the impact of CVE-2024-34711 can be substantial, especially for those relying on GeoServer for managing sensitive geospatial data related to infrastructure, urban planning, environmental monitoring, or defense. The vulnerability enables attackers to perform internal network reconnaissance by abusing the server's XML entity resolution process to send arbitrary HTTP requests. This can expose internal IP addresses, services, and configurations that are typically shielded from external access, facilitating subsequent targeted attacks such as lateral movement, data exfiltration, or further exploitation of internal systems. Confidentiality is severely impacted as sensitive internal network information can be leaked. Integrity impact is moderate since the attacker can influence some server behavior via crafted XML but cannot directly modify data. Availability is not affected. Given the criticality and ease of exploitation without authentication, attackers can leverage this vulnerability to gain a foothold or gather intelligence for more damaging attacks. European public sector entities, utilities, transportation agencies, and private companies using GeoServer for critical geospatial services are particularly at risk. The exposure of internal network details could also contravene GDPR requirements regarding data protection and network security, leading to regulatory and reputational consequences.

Mitigation Recommendations

1. Immediate upgrade to GeoServer version 2.25.0 or later, which implements a secure ENTITY_RESOLUTION_ALLOWLIST by default, effectively mitigating this vulnerability. 2. If upgrading is not immediately feasible, disable XML external entity processing or configure GeoServer to use a strict entity resolution allowlist manually. 3. Implement network-level controls such as firewall rules or web application firewalls (WAFs) to restrict outbound HTTP requests from GeoServer servers to only trusted destinations, preventing abuse for internal network scanning. 4. Monitor GeoServer logs for unusual XML requests or outbound HTTP connections that could indicate exploitation attempts. 5. Conduct internal network segmentation to limit the exposure of sensitive internal services from servers exposed to external networks. 6. Review and harden XML processing configurations in GeoServer and related GeoTools libraries to ensure no other unsafe entity resolution mechanisms are enabled. 7. Educate administrators and developers about the risks of XXE and SSRF to prevent similar issues in custom extensions or integrations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2024-05-07T13:53:00.133Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f551b0bd07c3938a361

Added to database: 6/10/2025, 6:54:13 PM

Last enriched: 7/11/2025, 4:18:57 AM

Last updated: 8/14/2025, 3:45:03 PM

Views: 20

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats