#git

## Summary GeoServer Web Feature Service (WFS) web service was found to be vulnerable to GeoTools CVE-2025-30220 XML External Entity (XXE) processing attack. It is possible to trigger the parsing of external DTDs and entities, bypassing standard entity resolvers. This allows for Out-of-Band (OOB) data exfiltration of local files accessible by the GeoServer process, and Service Side Request Forgery (SSRF). ## Details While direct entity resolution is managed by application property ENTITY_RESOLUTION_ALLOWLIST for XML Parsing, this restriction was not being used by the GeoTools library when building an in-memory XSD Library Schema representation. This bypasses GeoServer's AllowListEntityResolver enabling XXE attacks. ## PoC No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS service. ## Impact * Information Disclosure: This vulnerability allows unauthenticated attackers to read arbitrary files from the server's filesystem that a...

### Summary Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service. ### Details The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations. ### Impact This vulnerability allows attackers to conduct denial-of-service attacks. ### Mitigation This vulnerability can be mitigated by disabling WMS dynamic styling (see [WMS Settings](https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#disabling-usage-of-dynamic-styling-in-getmap-getfeatureinfo-and-getlegendgraphic-requests)). If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see [WPS Settings](https://docs.geoserver.org/latest...

### Summary It is possible to bypass the default REST API security and access the index page. ### Details The REST API security handles `rest` and its subpaths but not `rest` with an extension (e.g., `rest.html`). ### Impact The REST API index can disclose whether certain extensions are installed. ### Workaround In `${GEOSERVER_DATA_DIR}/security/config.xml`, change the paths for the `rest` filter to `/rest.*,/rest/**` and change the paths for the `gwc` filter to `/gwc/rest.*,/gwc/rest/**` and restart GeoServer. ### References https://osgeo-org.atlassian.net/browse/GEOS-11664 https://osgeo-org.atlassian.net/browse/GEOS-11776 https://github.com/geoserver/geoserver/pull/8170

Through artifact attestation and the SLSA framework, GitHub's Jennifer Schelkopf argues that at least some supply chain attacks can be stopped in their tracks.

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Cybersecurity researchers have shed light on a previously undocumented Rust-based information stealer called Myth Stealer that's being propagated via fraudulent gaming websites. "Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background," Trellix security researchers Niranjan Hegde, Vasantha Lakshmanan

Backdoors lurking in legitimate-looking code contain file-deletion commands that can destroy production systems and cause massive disruptions to software supply chains.

### Summary The Coverage rest api `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allow to upload file with a specified url (with {method} equals 'url') with no restrict. ### Details The Coverage rest api `/workspaces/{workspaceName}/coveragestores/{storeName}/{method}.{format}` allow to upload file with a specified url (with {method} equals 'url'). But this url has not been check with [URL Checks feature](https://docs.geoserver.org/latest/en/user/security/urlchecks.html#url-checks). For example, should add the code below to check fileURL: ```java URLCheckers.confirm(fileURL) ``` The vulnerable code was [RESTUtils.java](https://github.com/geoserver/geoserver/blob/main/src/rest/src/main/java/org/geoserver/rest/util/RESTUtils.java#L176) ### Impact This vulnerability presents the opportunity for Server Side Request Forgery. ### References - https://osgeo-org.atlassian.net/browse/GEOS-11468 - https://osgeo-org.atlassian.net/browse/GEOS-11717

### Summary The GeoWebCache home page includes version and revision information about the software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified. ### Details org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. ### PoC Just open http://localhost:8080/geoserver/gwc/ ### Impact In addition to exposing the version and revision information, the home page will expose the config file and storage locations which may expose the system's temp directory location and whether or not GeoServer is running in a Windows operating system. The approximate server start time and some basic GWC usage information is also exposed. ### References https://osgeo-org.atlassian.net/browse/GEOS-11677 https://g...

### Summary An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. Attacker can abuse this to scan internal networks and gain information about them then exploit further. Moreover, attacker can read limited `.xsd` file on system. ### Details By default, GeoServer use `PreventLocalEntityResolver` class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex `(?i)(jar:file|http|vfs)[^?#;]*\\.xsd`. But the regex leaves a chance for attackers to request to any HTTP server or limited file. ### Impact An unauthenticated attacker can: 1. Scan internal network to gain insight about it and exploit further. 2. SSRF to endpoint ends with `.xsd`. 3. Read limited `.xsd` file on system. ### Mitigation 1. Define the system property ``ENTITY_RESOLUTION_ALLOWLIST`` to limit the supported external schema locaitons. 2. The buil...