Moderate severityNVD Advisory· Published Dec 16, 2024· Updated Dec 17, 2024
Welcome and About GeoServer pages communicate version and revision information
CVE-2024-35230
Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geoserver.web:gs-web-appMaven | >= 2.0.0, < 2.25.1 | 2.25.1 |
org.geoserver.web:gs-web-coreMaven | >= 2.0.0, < 2.25.1 | 2.25.1 |
Affected products
1Patches
374fdab745a5dhide version info on footer and (not visible to user on browser, but in HTML) header
3 files changed · +26 −1
src/web/core/src/main/java/org/geoserver/web/GeoServerBasePage.java+1 −1 modified@@ -267,7 +267,7 @@ protected void onComponentTag(org.apache.wicket.markup.ComponentTag tag) { // home page link add( new BookmarkablePageLink<>("home", GeoServerHomePage.class) - .add(new Label("label", new StringResourceModel("home", null, null)))); + .add(new Label("label", ""))); // dev buttons DeveloperToolbar devToolbar = new DeveloperToolbar("devButtons");
src/web/core/src/main/java/org/geoserver/web/GeoServerHomePage.java+6 −0 modified@@ -645,6 +645,12 @@ private Label belongsTo(ContactInfo contactInfo, Locale locale) { private Label footerMessage(ContactInfo contactInfo, Locale locale) { String version = String.valueOf(new ResourceModel("version").getObject()); + boolean admin = getSession().isAdmin(); + if (!admin) { + Label footerMessage = new Label("footerMessage", ""); + return footerMessage; + } + HashMap<String, String> params = new HashMap<>(); params.put("version", version);
src/web/core/src/test/java/org/geoserver/web/GeoServerHomePageTest.java+19 −0 modified@@ -12,6 +12,7 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNotSame; import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; import java.util.ArrayList; import java.util.Collections; @@ -21,6 +22,7 @@ import org.apache.wicket.Page; import org.apache.wicket.markup.html.basic.Label; import org.apache.wicket.markup.html.form.TextField; +import org.apache.wicket.model.StringResourceModel; import org.apache.wicket.util.tester.FormTester; import org.geoserver.catalog.PublishedInfo; import org.geoserver.catalog.WorkspaceInfo; @@ -290,6 +292,23 @@ public void testAutoSelection() throws Exception { tester.assertComponent("form:layer:select", Select2DropDownChoice.class); } + @Test + public void testHideSensitiveInfo() throws Exception { + logout(); + tester.startPage(GeoServerHomePage.class); + + var version = new StringResourceModel("version", null, null).getString(); + + String responseTxt = tester.getLastResponse().getDocument(); + assertFalse(responseTxt.contains(version)); + + login(); + tester.startPage(GeoServerHomePage.class); + + responseTxt = tester.getLastResponse().getDocument(); + assertTrue(responseTxt.contains(version)); + } + public static class MockHomePageContentProvider implements GeoServerHomePageContentProvider { @Override public Component getPageBodyComponent(final String id) {
8cd1590a604ahide private info on about page
3 files changed · +79 −35
src/web/core/src/main/java/org/geoserver/web/AboutGeoServerPage.html+33 −31 modified@@ -2,37 +2,39 @@ <body> <wicket:extend> <form> - <fieldset class="mt-3"> - <legend> - <wicket:message key="buildInformation">Build Information</wicket:message> - </legend> - <ul> - <li> - <label for="version"><wicket:message key="geoserverVersion">Version</wicket:message></label> - <span id="version"><wicket:message key="version"></wicket:message></span> - </li> - <li> - <label for="buildRevision"><wicket:message key="gitRevision">Git Revision</wicket:message></label> - <span id="buildRevision"><wicket:message key="build.revision"></wicket:message></span> - </li> - <li> - <label for="buildDate"><wicket:message key="buildDate">Build Date</wicket:message></label> - <span id="buildDate"><wicket:message key="build.date"></wicket:message></span> - </li> - <li> - <label for="geotoolsInfo"><wicket:message key="geotoolsVersion">GeoTools Version</wicket:message></label> - <span id="geotoolsInfo"> - <span wicket:id="geotoolsVersion"></span> (rev <span wicket:id="geotoolsRevision"></span>) - </span> - </li> - <li> - <label for="geowebcacheInfo"><wicket:message key="geowebcacheVersion">GeoWebCache Version</wicket:message></label> - <span id="geotoolsInfo"> - <span wicket:id="geowebcacheVersion"></span> (rev <span wicket:id="geowebcacheRevision"></span>) - </span> - </li> - </ul> - </fieldset> + <wicket:container wicket:id="privateInfo"> + <fieldset class="mt-3"> + <legend> + <wicket:message key="buildInformation">Build Information</wicket:message> + </legend> + <ul> + <li> + <label for="version"><wicket:message key="geoserverVersion">Version</wicket:message></label> + <span id="version"><wicket:message key="version"></wicket:message></span> + </li> + <li> + <label for="buildRevision"><wicket:message key="gitRevision">Git Revision</wicket:message></label> + <span id="buildRevision"><wicket:message key="build.revision"></wicket:message></span> + </li> + <li> + <label for="buildDate"><wicket:message key="buildDate">Build Date</wicket:message></label> + <span id="buildDate"><wicket:message key="build.date"></wicket:message></span> + </li> + <li> + <label for="geotoolsInfo"><wicket:message key="geotoolsVersion">GeoTools Version</wicket:message></label> + <span id="geotoolsInfo"> + <span wicket:id="geotoolsVersion"></span> (rev <span wicket:id="geotoolsRevision"></span>) + </span> + </li> + <li> + <label for="geowebcacheInfo"><wicket:message key="geowebcacheVersion">GeoWebCache Version</wicket:message></label> + <span id="geotoolsInfo"> + <span wicket:id="geowebcacheVersion"></span> (rev <span wicket:id="geowebcacheRevision"></span>) + </span> + </li> + </ul> + </fieldset> + </wicket:container> <fieldset> <legend><wicket:message key="moreInformation">More Information</wicket:message></legend> <p>
src/web/core/src/main/java/org/geoserver/web/AboutGeoServerPage.java+24 −4 modified@@ -6,7 +6,10 @@ package org.geoserver.web; import java.util.logging.Level; +import org.apache.wicket.markup.html.WebMarkupContainer; import org.apache.wicket.markup.html.basic.Label; +import org.geoserver.platform.GeoServerExtensions; +import org.geoserver.security.GeoServerSecurityManager; import org.geotools.util.factory.GeoTools; /** @@ -16,11 +19,28 @@ */ public class AboutGeoServerPage extends GeoServerBasePage { + GeoServerSecurityManager getManager() { + return GeoServerExtensions.bean(GeoServerSecurityManager.class); + } + public AboutGeoServerPage() { - add(new Label("geotoolsVersion", GeoTools.getVersion().toString())); - add(new Label("geotoolsRevision", GeoTools.getBuildRevision())); - add(new Label("geowebcacheVersion", getGwcVersion())); - add(new Label("geowebcacheRevision", getGwcRevision())); + // hide info based on if the user is admin or not + var privateInfo = new WebMarkupContainer("privateInfo"); + add(privateInfo); + + var isAdmin = getManager().checkAuthenticationForAdminRole(); + if (isAdmin) { + privateInfo.add(new Label("geotoolsVersion", GeoTools.getVersion().toString())); + privateInfo.add(new Label("geotoolsRevision", GeoTools.getBuildRevision())); + privateInfo.add(new Label("geowebcacheVersion", getGwcVersion())); + privateInfo.add(new Label("geowebcacheRevision", getGwcRevision())); + } else { + add(new Label("geotoolsVersion", GeoTools.getVersion().toString())); + add(new Label("geotoolsRevision", GeoTools.getBuildRevision())); + add(new Label("geowebcacheVersion", getGwcVersion())); + add(new Label("geowebcacheRevision", getGwcRevision())); + privateInfo.setVisible(false); + } } public String getGwcVersion() {
src/web/core/src/test/java/org/geoserver/web/GeoServerAboutPageTest.java+22 −0 modified@@ -7,6 +7,8 @@ import static org.hamcrest.CoreMatchers.instanceOf; import static org.hamcrest.MatcherAssert.assertThat; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import org.apache.wicket.util.tester.TagTester; import org.junit.Test; @@ -26,4 +28,24 @@ public void testLoginFormAction() throws Exception { "http://localhost/context/j_spring_security_check", tagTester.getAttribute("action")); } + + /** + * The About page should hide the sensitive information (like version info, etc...). This test: + * gets the page as a non-admin -> version info should NOT be there gets the page as ADMIN -> + * version info SHOULD be there + */ + @Test + public void testHideSensitiveInfo() throws Exception { + logout(); + tester.executeUrl("./wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage"); + + String responseTxt = tester.getLastResponse().getDocument(); + assertFalse(responseTxt.contains("geotoolsInfo")); + + login(); + tester.executeUrl("./wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage"); + + responseTxt = tester.getLastResponse().getDocument(); + assertTrue(responseTxt.contains("geotoolsInfo")); + } }
5fd5f35ae176[GEOS-11401] Introduce environmental variables for Module Status page
6 files changed · +301 −2
doc/en/user/source/configuration/properties/index.rst+12 −0 modified@@ -31,6 +31,18 @@ GeoServer Property Reference - x - x - x + * - GEOSERVER_MODULE_SYSTEM_ENVIRONMENT_STATUS_ENABLED + + :ref:`module_status_security_environment_vars` + - + - + - x + * - GEOSERVER_MODULE_SYSTEM_PROPERTY_STATUS_ENABLED + + :ref:`module_status_security_environment_vars` + - + - + - x * - GEOWEBCACHE_CACHE_DIR :doc:`/geowebcache/config`
doc/en/user/source/production/config.rst+31 −0 modified@@ -139,6 +139,37 @@ In some circumstances, you might want to completely disable the web administrati * Set the Java system property ``GEOSERVER_CONSOLE_DISABLED`` to true by adding ``-DGEOSERVER_CONSOLE_DISABLED=true`` to your container's JVM options * Remove all of the :file:`gs-web*-.jar` files from :file:`WEB-INF/lib` +.. _module_status_security_environment_vars: + +Showing Environment Variables and Java System Properties +'''''''''''''''''''''''''''''''''''''''''''''''''''''''' + +Module status information is available describing the operational environment. + +* The :guilabel:`GeoServer Status` page :ref:`config_serverstatus_module`. +* The REST ``/geoserver/rest/about/status`` endpoint lists module status information + +1. By default GeoServer does **not** show Environment Variables and Java System Properties. + +2. To show environment variables and Java system properties on the status page and REST API, start GeoServer with these environment variables set to ``true``: + + * `GEOSERVER_MODULE_SYSTEM_ENVIRONMENT_STATUS_ENABLED` + * `GEOSERVER_MODULE_SYSTEM_PROPERTY_STATUS_ENABLED` + +3. In a production system, these should be set to ``false`` (or leave them undefined). + + .. warning:: + + While this feature can help an administrator debug a GeoServer instance's configuration, environment variables can include sensitive information such as database passwords and API access keys/tokens, particularly when running in a containerised environment (such as Docker or Kubernetes) or with ``ALLOW_ENV_PARAMETRIZATION=true``. + + .. note:: Linux + + Linux administrators can get a list of all environment variables set at GeoServer startup with: + + .. code-block:: bash + + tr '\0' '\n' < /proc/${GEOSERVER_PID}/environ + Application Server Guidance ---------------------------
src/platform/src/main/java/org/geoserver/platform/SystemEnvironmentStatus.java+49 −0 modified@@ -7,10 +7,23 @@ import java.util.Map.Entry; import java.util.Optional; +import java.util.logging.Level; +import java.util.logging.Logger; +import org.geotools.util.logging.Logging; /** Report system environment details to server status page. */ public class SystemEnvironmentStatus implements ModuleStatus { + private static final Logger LOGGER = Logging.getLogger(SystemEnvironmentStatus.class); + + /** + * Name of the environment variable that turns on the details (listing of all environment + * variables) for this module. "false" = don't show, "true" = show all the environment variables + * on the web interface. + */ + public static final String SystemEnvironmentStatusEnabledEnvironmentVar = + "GEOSERVER_MODULE_SYSTEM_ENVIRONMENT_STATUS_ENABLED"; + @Override public String getModule() { return "system-environment"; @@ -41,8 +54,44 @@ public boolean isEnabled() { return true; } + /** For Testing - this can be mocked to change environment variables. */ + String getEnvironmentVariable(String envVar) { + return System.getenv(envVar); + } + + /** + * returns true if the message (list of variables) should be shown + * + * <p>Uses environment variable SystemPropertyStatusEnabledEnvironmentVar + * ("GEOSERVER_MODULE_SYSTEM_ENVIRONMENT_STATUS_ENABLED") not defined -> false (default) bad + * value -> false (default) + */ + public boolean isShow() { + String val = getEnvironmentVariable(SystemEnvironmentStatusEnabledEnvironmentVar); + if (val == null) { + return false; // not defined -> default + } + if (val.equalsIgnoreCase("true") || val.equalsIgnoreCase("false")) { + return val.equalsIgnoreCase("true"); + } + LOGGER.log( + Level.WARNING, + String.format( + "environment variable '%s' should be 'true' or 'false', but was '%s'", + SystemEnvironmentStatusEnabledEnvironmentVar, val)); + return false; // bad value -> default + } + @Override public Optional<String> getMessage() { + if (!isShow()) { + var message = + String.format( + "Environment variables hidden for security reasons. Set the environment variable '%s' to 'true' to see them.", + SystemEnvironmentStatusEnabledEnvironmentVar); + return Optional.of(message); + } + StringBuffer result = new StringBuffer(); for (Entry<String, String> entry : System.getenv().entrySet()) { result.append(entry.getKey().toString() + "=" + entry.getValue().toString() + "\n");
src/platform/src/main/java/org/geoserver/platform/SystemPropertyStatus.java+48 −0 modified@@ -7,9 +7,22 @@ import java.util.Map.Entry; import java.util.Optional; +import java.util.logging.Level; +import java.util.logging.Logger; +import org.geotools.util.logging.Logging; public class SystemPropertyStatus implements ModuleStatus { + private static final Logger LOGGER = Logging.getLogger(SystemPropertyStatus.class); + + /** + * Name of the environment variable that turns on the details (listing of all property + * variables) for this module. "false" = don't show, "true" = show all the environment variables + * on the web interface. + */ + public static final String SystemPropertyStatusEnabledEnvironmentVar = + "GEOSERVER_MODULE_SYSTEM_PROPERTY_STATUS_ENABLED"; + @Override public String getModule() { return "system-properties"; @@ -40,8 +53,43 @@ public boolean isEnabled() { return true; } + /** For Testing - this can be mocked to change environment variables. */ + String getEnvironmentVariable(String envVar) { + return System.getenv(envVar); + } + + /** + * returns true if the message (list of variables) should be shown + * + * <p>Uses environment variable SystemPropertyStatusEnabledEnvironmentVar + * ("GEOSERVER_MODULE_SYSTEM_PROPERTY_STATUS_ENABLED") not defined -> false (default) bad value + * -> false (default) + */ + public boolean isShow() { + String val = getEnvironmentVariable(SystemPropertyStatusEnabledEnvironmentVar); + if (val == null) { + return false; // not defined -> default + } + if (val.equalsIgnoreCase("true") || val.equalsIgnoreCase("false")) { + return val.equalsIgnoreCase("true"); + } + LOGGER.log( + Level.WARNING, + String.format( + "environment variable '%s' should be 'true' or 'false', but was '%s'", + SystemPropertyStatusEnabledEnvironmentVar, val)); + return false; // bad value -> default + } + @Override public Optional<String> getMessage() { + if (!isShow()) { + var message = + String.format( + "Java system properties hidden for security reasons. Set the environment variable '%s' to 'true' to see them.", + SystemPropertyStatusEnabledEnvironmentVar); + return Optional.of(message); + } StringBuffer result = new StringBuffer(); for (Entry<Object, Object> entry : System.getProperties().entrySet()) { result.append(entry.getKey().toString() + "=" + entry.getValue().toString() + "\n");
src/platform/src/test/java/org/geoserver/platform/SystemEnvironmentTest.java+80 −1 modified@@ -8,6 +8,7 @@ import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import java.util.ArrayList; import java.util.HashMap; import java.util.Map; import java.util.logging.Logger; @@ -26,12 +27,90 @@ public void testSystemPropertiesStatus() { String key = System.getenv().keySet().iterator().next(); String value = System.getenv(key); - SystemEnvironmentStatus status = new SystemEnvironmentStatus(); + SystemEnvironmentStatus status = + new SystemEnvironmentStatus() { + String getEnvironmentVariable(String envVar) { + return "true"; + } + }; + assertTrue(status.getMessage().isPresent()); assertTrue(status.getMessage().get().contains(key)); assertTrue(status.getMessage().get().contains(value)); } + /** + * Tests the SystemEnvironmentStatusEnabledEnvironmentVar so it turns on/off the message (list + * of environment vars). + */ + @Test + public void testEnabled() { + final var VALUE = new ArrayList<String>(); + + // create subclass of SystemEnvironmentStatus so we can change the value of the environment + // variable. + // VALUE empty -> null + // otherwise its the first item in the VALUE + // if the request is for a different environment var -> throw + SystemEnvironmentStatus status = + new SystemEnvironmentStatus() { + String getEnvironmentVariable(String envVar) { + if (envVar.equals( + SystemEnvironmentStatus + .SystemEnvironmentStatusEnabledEnvironmentVar)) { + if (VALUE.isEmpty()) { + return null; + } + return VALUE.get(0); + } + throw new RuntimeException("bad var"); + } + }; + + VALUE.clear(); + VALUE.add("true"); + assertTrue(status.isShow()); + assertTrue(!status.getMessage().isEmpty()); + + VALUE.clear(); + VALUE.add("TRUE"); + assertTrue(status.isShow()); + assertTrue(!status.getMessage().isEmpty()); + + VALUE.clear(); + VALUE.add("FALSE"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Environment variables hidden for security reasons.")); + + VALUE.clear(); + VALUE.add("false"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Environment variables hidden for security reasons.")); + + // default -> false + VALUE.clear(); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Environment variables hidden for security reasons.")); + + // bad value -> false + VALUE.clear(); + VALUE.add("maybe"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Environment variables hidden for security reasons.")); + } + @Test public void testGeoServerEnvironmentDefaultValue() { System.clearProperty("ALLOW_ENV_PARAMETRIZATION");
src/platform/src/test/java/org/geoserver/platform/SystemPropertiesStatusTest.java+81 −1 modified@@ -5,8 +5,10 @@ package org.geoserver.platform; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; +import java.util.ArrayList; import org.junit.Test; public class SystemPropertiesStatusTest { @@ -18,9 +20,87 @@ public class SystemPropertiesStatusTest { @Test public void testSystemPropertiesStatus() { System.setProperty(KEY, VALUE); - SystemPropertyStatus status = new SystemPropertyStatus(); + + SystemPropertyStatus status = + new SystemPropertyStatus() { + String getEnvironmentVariable(String envVar) { + return "true"; + } + }; + assertTrue(status.getMessage().isPresent()); assertTrue(status.getMessage().get().contains(KEY)); assertTrue(status.getMessage().get().contains(VALUE)); } + + /** + * Tests the SystemPropertyStatusEnabledEnvironmentVar so it turns on/off the message (list of + * property vars). + */ + @Test + public void testEnabled() { + final var VALUE = new ArrayList<String>(); + + // create subclass of SystemPropertyStatus so we can change the value of the environment + // variable. + // VALUE empty -> null + // otherwise its the first item in the VALUE + // if the request is for a different environment var -> throw + SystemPropertyStatus status = + new SystemPropertyStatus() { + String getEnvironmentVariable(String envVar) { + if (envVar.equals( + SystemPropertyStatus.SystemPropertyStatusEnabledEnvironmentVar)) { + if (VALUE.isEmpty()) { + return null; + } + return VALUE.get(0); + } + throw new RuntimeException("bad var"); + } + }; + + VALUE.clear(); + VALUE.add("true"); + assertTrue(status.isShow()); + assertTrue(!status.getMessage().isEmpty()); + + VALUE.clear(); + VALUE.add("TRUE"); + assertTrue(status.isShow()); + assertTrue(!status.getMessage().isEmpty()); + + VALUE.clear(); + VALUE.add("FALSE"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Java system properties hidden for security reasons.")); + + VALUE.clear(); + VALUE.add("false"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Java system properties hidden for security reasons.")); + + // default -> false + VALUE.clear(); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Java system properties hidden for security reasons.")); + + // bad value -> false + VALUE.clear(); + VALUE.add("maybe"); + assertFalse(status.isShow()); + assertTrue( + status.getMessage() + .get() + .startsWith("Java system properties hidden for security reasons.")); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-6pfc-w86r-54q6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-35230ghsaADVISORY
- github.com/geoserver/geoserver/commit/5fd5f35ae176eff3cc4667a5cf48e4bf5dc4ea99ghsaWEB
- github.com/geoserver/geoserver/commit/74fdab745a5deff20ac99abca24d8695fe1a52f8ghsax_refsource_MISCWEB
- github.com/geoserver/geoserver/commit/8cd1590a604a10875de67b04995f1952f631f920ghsax_refsource_MISCWEB
- github.com/geoserver/geoserver/security/advisories/GHSA-6pfc-w86r-54q6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.