GHSA-2p76-gc46-5fvc

Опубликовано: 10 июн. 2025

Источник: github

Github: Прошло ревью

CVSS3: 8.2

Описание

GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

Patches

GeoNetwork 4.4.8 / 4.2.13.

Workarounds

Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.

References

Ссылки

Пакеты

Наименование

org.geonetwork-opensource:gn-web-app

maven

Затронутые версииВерсия исправления

>= 4.4.0, <= 4.4.7

4.4.8

Наименование

org.geonetwork-opensource:gn-web-app

maven

Затронутые версииВерсия исправления

>= 4.2.0, <= 4.2.12

4.2.13

Наименование

org.geonetwork-opensource:gn-wfsfeature-harvester

maven

Затронутые версииВерсия исправления

>= 4.4.0, <= 4.4.7

4.4.8

Наименование

org.geonetwork-opensource:gn-wfsfeature-harvester

maven

Затронутые версииВерсия исправления

>= 4.2.0, <= 4.2.12

4.2.13

8.2 High

CVSS3

Дефекты

CWE-611

CWE-918

8.2 High

CVSS3

Дефекты

CWE-611

CWE-918