High severity7.2GHSA Advisory· Published Jun 12, 2026· Updated Jun 12, 2026
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
CVE-2025-52465
Description
An authenticated GeoServer administrator can write files containing the master password to arbitrary absolute paths, leading to RCE, NTLM disclosure, or DoS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated GeoServer administrator can write files containing the master password to arbitrary absolute paths, leading to RCE, NTLM disclosure, or DoS.
Vulnerability
A path traversal vulnerability exists in GeoServer's Master Password Dump web page, identified as CVE-2025-52465. An authenticated administrator with access to the security system can supply an arbitrary absolute file path (e.g., /path/to/file). The page writes the GeoServer master password in plaintext to the specified file, provided the file does not already exist and all parent directories exist. GeoServer performs minimal validation of the file name as a java.io.File path; a previous fix prevents relative path traversal, but absolute paths are permitted. Additionally, GeoServer does not enforce a maximum password length, allowing an administrator to embed malicious JSP code within the master password string [1][2].
Exploitation
An attacker must have valid administrator credentials and access to the GeoServer web interface. The attacker navigates to the Master Password Dump page and provides an absolute path to a target file. For remote code execution, the attacker can set the master password to contain JSP code and then direct the output to a file under the Tomcat webapps directory (e.g., /path/to/tomcat/webapps/ROOT/evil.jsp). GeoServer writes the password string (including JSP code) into that file. If GeoServer is running on Windows, the attacker may also supply a UNC path or a path that forces an outbound SMB connection, causing the GeoServer process to authenticate to an attacker-controlled server, thereby disclosing NTLM hashes [1][2].
Impact
Successful exploitation yields multiple severity-level outcomes. High severity: Remote Code Execution (RCE) when GeoServer is deployed on a default Tomcat installation that auto-deploys JSP files placed in its webapps directory. Moderate severity: NTLM hash disclosure on Windows systems, enabling further credential-based attacks. Low severity: Denial of Service by writing files to sensitive locations where the GeoServer process has write permissions, potentially disrupting service [1][2].
Mitigation
GeoServer installations where the web interface is disabled or completely removed are not affected, as the vulnerability resides in a web page [1][2]. A fix has been proposed in Pull Request #8584, which removes the Master Password Info page and adjusts the master password workflow [3]. Administrators should apply this patch or upgrade to a version that includes the fix once released. Until then, disabling the web interface or restricting access to trusted admin accounts reduces risk [1][2].
References
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1d6971bf12106[GEOS-11911] Application property GEOSERVER_ROOT_LOGIN_ENABLED
6 files changed · +141 −53
doc/en/user/source/configuration/properties/index.rst+8 −0 modified@@ -11,6 +11,8 @@ While many configuration and setup options are available through the Web Adminis As part of the operating environment GeoServer application properties, unlike settings, cannot be changed at runtime. +For more information see :ref:`production_config`. + GeoServer Property Reference ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -422,6 +424,12 @@ GeoServer Property Reference - x - x - x + * - GEOSERVER_ROOT_LOGIN_ENABLED + + :ref:`security_root` + - x + - x + - x * - ALLOW_ENV_PARAMETRIZATION :doc:`/datadirectory/configtemplate`
doc/en/user/source/production/config.rst+41 −0 modified@@ -3,6 +3,38 @@ Configuration Considerations ============================ +Configuration targets three distinct environments: + +* Common Case: The System Administrator and the GeoServer Administrator are the same individual, or the GeoServer Administrator already has console access to perform data management. + + In this environment the GeoServer Administrator already has console access, and many settings are available in + the Web administration interface to define proxy base url, log file location, or what file directories may be + used for storage, that assume general knowledge of the environments and the ability to create folders and + adjust file permissions. + + See :ref:`production_config_geoserver_admin` + +* Less common case: The GeoServer Administrator does not have any sort of console access, and the System Administrator + define configuration settings using :ref:`application properties <application_properties>`. + + In this environment the functionality of the Web administration interface is reduced. The GeoServer Administrator + may see settings, such as log file location, which are ignored as they have been already specified by the System Administrator. + + This is most often seen when a system administrator is providing hosting for a GeoServer administrator. + It is also seen when GeoServer is used in a container environment where Environmental Variables are + used for integration defining settings such proxy base url and log file location. + + See :ref:`production_config_system_admin` + +* Less common case: Configuring GeoServer with Workspace Administrators, where individuals each manage their + own workspace contents, and web services. + + This is often seen when a GeoServer Administrator configures workspaces for different projects or teams. Settings such as :ref:`security_sandbox` to limited directory access are established with this environment in mind. + + See :ref:`production_config_workspace_admin` + +.. note:: Not all configuration options can be supplied using the Web administration interface. Some settings, such as the location of the :ref:`GeoServer Data Directory <datadir_setting>`, may only be setup by a System Administrator. + General Guidance ---------------- @@ -79,6 +111,8 @@ If you would like some users to be able to modify data, set the service level :g If you would like some users to be able to modify some but not all of your data, set the :guilabel:`Service Level` to ``Transactional`` (or ``Complete``), and use :ref:`security_layer` to limit write access to specific layers. Data security can be used to allow write access based on workspace, datastore, or layer security. +.. _production_config_workspace_admin: + GeoServer Workspace Admin Guidance ---------------------------------- @@ -95,6 +129,11 @@ Establishing a workspace administrator user is a recommended configuration provi 4. Recommendation: The combination of workspace admin permission and GROUP_ADMIN access provides a effective combination for an individual responsible for a workspace. This provides the ability to both manage and control access to the data products in a workspace. +5. Recommendation: Provide each workspace admin with :ref:`sandbox <security_sandbox>` restricting file system access + for data storage. + +.. _production_config_geoserver_admin: + GeoServer Administrator Guidance -------------------------------- @@ -108,6 +147,8 @@ In this workflow the Administration Console is used to adapt the application to Management of a web service using an administration console is a more common practice when running GeoServer as a windows web service. +.. _production_config_system_admin: + System Administrator Guidance -----------------------------
doc/en/user/source/security/root.rst+8 −5 modified@@ -5,14 +5,17 @@ Root account The highly configurable nature of GeoServer security may result in an administrator inadvertently disrupting normal authentication, essentially disabling all users including administrative accounts. For this reason, the GeoServer security subsystem contains a **root account**. Much like its UNIX-style counterpart, this account provides "super user" status, and is meant to provide an alternative access method for fixing configuration issues. -The username for the root account is ``root``. Its name cannot be changed and the password for the root account is the defined by the :ref:`security_webadmin_passwd_keystore`. +The username for the root account is ``root``. Its name cannot be changed and the password for the root account is the :ref:`keystore password providers <security_webadmin_passwd_keystore>`. -Logging in as ``root`` is disabled by default and can be enabled by: +Logging in as ``root`` is disabled by default: -* Following the instructions in :ref:`security_webadmin_passwd_keystore`. - -* Enable manually by changing the Keystore Password Provider :file:`config.xml`, usually located in :file:`security/masterpw/default/config.xml`, by adding the following statement: +* Enable using the web admin console following the instructions in :ref:`security_webadmin_passwd_keystore`. + + You may also enable manually by changing the Keystore Password Provider :file:`config.xml`, usually located in :file:`security/masterpw/default/config.xml`, by adding the following statement: .. code-block:: xml <loginEnabled>true</loginEnabled> + +* Enable using application property ``GEOSERVER_ROOT_LOGIN_ENABLED``. With value of ``true`` + to enable, or value of ``false`` to disable, authentication of the ``root`` user.
src/main/src/main/java/org/geoserver/security/auth/GeoServerRootAuthenticationProvider.java+2 −2 modified@@ -21,8 +21,8 @@ import org.springframework.security.core.GrantedAuthority; /** - * An authentication provider for the superuser called {@link #ROOTUSERNAME}. This user hat the administrator role - * {@link GeoServerRole#ADMIN_ROLE} No other users are authenticated. + * An authentication provider for the superuser called {@link GeoServerUser#ROOT_USERNAME}. This user hat the + * administrator role {@link GeoServerRole#ADMIN_ROLE}. No other users are authenticated. * * <p>The password is checked using {@link GeoServerSecurityManager#checkMasterPassword(String)} *
src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java+69 −46 modified@@ -200,13 +200,16 @@ public class GeoServerSecurityManager implements ApplicationContextAware, Applic /** default config file name */ public static final String CONFIG_FILENAME = "config.xml"; - /** master password config file name */ + /** Application property allowing root user to authenticate using keystore password. */ + public static final String GEOSERVER_ROOT_LOGIN_ENABLED = "GEOSERVER_ROOT_LOGIN_ENABLED"; + + /** keystore password config file name */ public static final String MASTER_PASSWD_CONFIG_FILENAME = "masterpw.xml"; - /** master password digest file name */ + /** keystore password digest file name */ public static final String MASTER_PASSWD_DIGEST_FILENAME = "masterpw.digest"; - /** default master password */ + /** default keystore password */ public static final char[] MASTER_PASSWD_DEFAULT = "geoserver".toCharArray(); /** the core spring authentication provider manager */ @@ -227,10 +230,10 @@ public class GeoServerSecurityManager implements ApplicationContextAware, Applic /** current security config */ SecurityManagerConfig securityConfig = new SecurityManagerConfig(); - /** current master password config */ + /** current keystore password config */ MasterPasswordConfig masterPasswordConfig = new MasterPasswordConfig(); - /** digested master password */ + /** digested keystore password */ volatile String masterPasswdDigest; /** cached user groups */ @@ -285,7 +288,7 @@ public GeoServerSecurityManager(GeoServerDataDirectory dataDir) throws Exception this.dataDir = dataDir; /* - * JD we have to ensure that the master password is initialized first thing, before the + * JD we have to ensure that the keystore password is initialized first thing, before the * catalog since we need to decrypt configuration the passwords, the rest of the security * initializes occurs at the end of startup */ @@ -421,7 +424,7 @@ public void reload() { try { // check for an outstanding masster password change keyStoreProvider.commitMasterPasswordChange(); - // check if there is an outstanding master password change in case of SPrin injection + // check if there is an outstanding keystore password change in case of spring injection init(); for (GeoServerSecurityProvider securityProvider : GeoServerExtensions.extensions(GeoServerSecurityProvider.class)) { @@ -573,7 +576,7 @@ void init() throws Exception { synchronized void init(SecurityManagerConfig config) throws Exception { - // load the master password provider + // load the keystore password provider // prepare the keystore providing needed key material getKeyStoreProvider().reloadKeyStore(); @@ -778,7 +781,7 @@ public Resource filterRoot() throws IOException { return get("security/filter"); } - /** Master password provider root */ + /** Keystore password provider root */ public Resource masterPasswordProvider() throws IOException { return get("security/masterpw"); } @@ -1511,26 +1514,26 @@ public synchronized void saveSecurityConfig(SecurityManagerConfig config) throws fireChanged(); } - /** Returns the master password configuration. */ + /** Returns the keystore password configuration. */ public MasterPasswordConfig getMasterPasswordConfig() { return new MasterPasswordConfig(masterPasswordConfig); } /** - * Saves the master password configuration. + * Saves the keystore password configuration. * * @param config The new configuration. - * @param currPasswd The current master password. + * @param currPasswd The current keystore password. * @param newPasswd The new password, may be null depending on strategy used. * @param newPasswdConfirm The confirmation password * @throws MasterPasswordChangeException If there is a validation error with the new config - * @throws PasswordPolicyException If the new password violates the master password policy + * @throws PasswordPolicyException If the new password violates the keystore password policy */ public synchronized void saveMasterPasswordConfig( MasterPasswordConfig config, char[] currPasswd, char[] newPasswd, char[] newPasswdConfirm) throws Exception { - // load the (possibly new) master password provider + // load the (possibly new) keystore password provider MasterPasswordProviderConfig mpProviderConfig = loadMasterPassswordProviderConfig(config.getProviderName()); MasterPasswordProvider mpProvider = loadMasterPasswordProvider(config.getProviderName()); @@ -1569,7 +1572,7 @@ public synchronized void saveMasterPasswordConfig( } } - // save out the master password config + // save out the keystore password config saveMasterPasswordConfig(config); // redigest @@ -1586,7 +1589,7 @@ public synchronized void saveMasterPasswordConfig( // error occurred, roll back ksProvider.abortMasterPasswordChange(); - // revert to old master password config + // revert to old keystore password config this.masterPasswordConfig = oldConfig; this.masterPasswdDigest = oldMasterPasswdDigest; saveMasterPasswordDigest(oldMasterPasswdDigest); @@ -1596,38 +1599,58 @@ public synchronized void saveMasterPasswordConfig( } } - /** Saves master password config out directly, not during a password change. */ + /** Saves keystore password config out directly, not during a password change. */ public void saveMasterPasswordConfig(MasterPasswordConfig config) throws IOException { xStreamPersist(security().get(MASTER_PASSWD_CONFIG_FILENAME), config, globalPersister()); this.masterPasswordConfig = new MasterPasswordConfig(config); } - /** Checks the specified password against the master password. */ + /** Checks the specified password against the keystore password. */ public boolean checkMasterPassword(String passwd) { return checkMasterPassword(passwd.toCharArray(), true); } - /** Checks the specified password against the master password. */ + /** + * Checks the specified password against the keystore password. + * + * <p>The ability to use forLogin {@code true} is optional, and can be defined by the application property + * ROOT_LOGIN_ENABLED, or the setting {@link MasterPasswordProviderConfig#isLoginEnabled()}. + * + * @param passwd The password to check + * @param forLogin Indicate if the check is intended to authenticate the "root" user for login + */ public boolean checkMasterPassword(String passwd, boolean forLogin) { return checkMasterPassword(passwd.toCharArray(), forLogin); } - /** Checks the specified password against the master password. */ + /** Checks the specified password against the keystore password. */ public boolean checkMasterPassword(char[] passwd) { return checkMasterPassword(passwd, true); } - /** Checks the specified password against the master password. */ + /** + * Checks the specified password against the keystore password. + * + * <p>The ability to use forLogin {@code true} is optional, and can be defined by the application property + * ROOT_LOGIN_ENABLED, or the setting {@link MasterPasswordProviderConfig#isLoginEnabled()}. + * + * @param passwd The password to check + * @param forLogin Indicate if the check is intended to authenticate the "root" user for login + */ public boolean checkMasterPassword(char[] passwd, boolean forLogin) { try { - if (forLogin - && !this.masterPasswordProviderHelper + if (forLogin) { + final String value = GeoServerExtensions.getProperty(GEOSERVER_ROOT_LOGIN_ENABLED); + if (value != null) { + if (!Boolean.parseBoolean(value)) return false; + } else { + if (!this.masterPasswordProviderHelper .loadConfig(this.masterPasswordConfig.getProviderName(), true) - .isLoginEnabled()) { - return false; + .isLoginEnabled()) return false; + } } } catch (IOException e) { - throw new RuntimeException("Unable to load master password provider config", e); + throw new RuntimeException("Unable to load keystore password provider config", e); } GeoServerDigestPasswordEncoder pwEncoder = loadPasswordEncoder(GeoServerDigestPasswordEncoder.class); @@ -1638,7 +1661,7 @@ public boolean checkMasterPassword(char[] passwd, boolean forLogin) { // look for file masterPasswdDigest = loadMasterPasswordDigest(); } catch (IOException e) { - throw new RuntimeException("Unable to create master password digest", e); + throw new RuntimeException("Unable to create keystore password digest", e); } } } @@ -1678,7 +1701,7 @@ String computeAndSaveMasterPasswordDigest(char[] passwd) throws IOException { } /** - * Returns the master password in plain text. + * Returns the keystore password in plain text. * * <p>This method is package protected and only allowed to be called by classes in this package. * @@ -1728,7 +1751,7 @@ public void disposePassword(byte[] passwd) { * * <p>This method returns <code>null</code> if the provider config is not found. * - * @param name The name of the master password provider configuration. + * @param name The name of the keystore password provider configuration. */ public MasterPasswordProviderConfig loadMasterPassswordProviderConfig(String name) throws IOException { return masterPasswordProviderHelper.loadConfig(name, true); @@ -1739,20 +1762,20 @@ public MasterPasswordProviderConfig loadMasterPassswordProviderConfig(String nam * * <p>This method returns <code>null</code> if the provider config is not found. * - * @param name The name of the master password provider configuration. + * @param name The name of the keystore password provider configuration. */ protected MasterPasswordProvider loadMasterPasswordProvider(String name) throws IOException { return masterPasswordProviderHelper.load(name); } - /** Saves/persists a master password provider configuration. */ + /** Saves/persists a keystore password provider configuration. */ public void saveMasterPasswordProviderConfig(MasterPasswordProviderConfig config) throws IOException, SecurityConfigException { saveMasterPasswordProviderConfig(config, true); } /** - * Saves master password provider configuration, optionally skipping validation. + * Saves keystore password provider configuration, optionally skipping validation. * * <p>Validation only skipped during migration. */ @@ -1777,7 +1800,7 @@ void saveMasterPasswordProviderConfig(MasterPasswordProviderConfig config, boole masterPasswordProviderHelper.saveConfig(config); } - /** Removes a master password provider configuration. */ + /** Removes a keystore password provider configuration. */ public void removeMasterPasswordProvder(MasterPasswordProviderConfig config) throws IOException, SecurityConfigException { @@ -1788,7 +1811,7 @@ public void removeMasterPasswordProvder(MasterPasswordProviderConfig config) masterPasswordProviderHelper.removeConfig(config.getName()); } - /** Lists all available master password provider configurations. */ + /** Lists all available keystore password provider configurations. */ public SortedSet<String> listMasterPasswordProviders() throws IOException { return listFiles(masterPasswordProvider()); } @@ -1799,7 +1822,7 @@ void fireChanged() { } } - /** @return the master password used for the migration */ + /** @return the keystore password used for the migration */ char[] extractMasterPasswordForMigration(Properties props) throws Exception { Map<String, String> candidates = new HashMap<>(); @@ -1817,7 +1840,7 @@ char[] extractMasterPasswordForMigration(Properties props) throws Exception { UserAttribute attr = (UserAttribute) configAttribEd.getValue(); if (attr == null) continue; - // The master password policy is not yet available, the default is to + // The keystore password policy is not yet available, the default is to // have a minimum of 8 chars --> all passwords shorter than 8 chars // are no candidates if (attr.getPassword() == null || attr.getPassword().length() < 8) continue; @@ -1859,7 +1882,7 @@ char[] extractMasterPasswordForMigration(Properties props) throws Exception { } /** - * Get master password for REST configuraton + * Get keystore password for REST configuration * * <p>The method inspects the stack trace to check for an authorized calling method. The authenticated principal has * to be an administrator @@ -1869,14 +1892,14 @@ char[] extractMasterPasswordForMigration(Properties props) throws Exception { public char[] getMasterPasswordForREST() throws IOException { if (checkAuthenticationForAdminRole() == false) { - throw new IOException("Unauthorized user tries to read master password"); + throw new IOException("Unauthorized user tries to read keystore password"); } String[][] allowedMethods = {{"org.geoserver.rest.security.MasterPasswordController", "masterPasswordGet"}}; String result = checkStackTrace(10, allowedMethods); if (result != null) { - throw new IOException("Unauthorized method wants to read master password\n" + result); + throw new IOException("Unauthorized method wants to read keystore password\n" + result); } return getMasterPassword(); @@ -1934,7 +1957,7 @@ boolean migrateFrom21() throws Exception { LOGGER.info("Start security migration"); - // master password configuration + // keystore password configuration MasterPasswordProviderConfig mpProviderConfig = loadMasterPassswordProviderConfig("default"); if (mpProviderConfig == null) { mpProviderConfig = new URLMasterPasswordProviderConfig(); @@ -1946,7 +1969,7 @@ boolean migrateFrom21() throws Exception { ((URLMasterPasswordProviderConfig) mpProviderConfig).setEncrypting(true); saveMasterPasswordProviderConfig(mpProviderConfig, false); - // save out the default master password + // save out the default keystore password MasterPasswordProvider mpProvider = loadMasterPasswordProvider(mpProviderConfig.getName()); Resource propFile = security().get("users.properties"); Properties userprops = null; @@ -1989,7 +2012,7 @@ boolean migrateFrom21() throws Exception { validator = loadPasswordValidator(PasswordValidator.MASTERPASSWORD_NAME); if (validator == null) { - // Policy requires a minimum of 8 chars for the master password + // Policy requires a minimum of 8 chars for the keystore password PasswordPolicyConfig pwpconfig = new PasswordPolicyConfig(); pwpconfig.setName(PasswordValidator.MASTERPASSWORD_NAME); pwpconfig.setClassName(PasswordValidatorImpl.class.getName()); @@ -2523,7 +2546,7 @@ public SecurityManagerConfig loadSecurityConfig() throws IOException { } /* - * loads the master password config + * loads the keystore password config */ public MasterPasswordConfig loadMasterPasswordConfig() throws IOException { Resource resource = security().get(MASTER_PASSWD_CONFIG_FILENAME); @@ -2856,13 +2879,13 @@ public MasterPasswordProvider load(String name) throws IOException { } } if (provider == null) { - throw new IOException("No master password provider matching config: " + config); + throw new IOException("No keystore password provider matching config: " + config); } // ensure that the provider is a final class if (!Modifier.isFinal(provider.getClass().getModifiers())) { - throw new RuntimeException( - "Master password provider class: " + provider.getClass().getCanonicalName() + " is not final"); + throw new RuntimeException("Keystore password provider class: " + + provider.getClass().getCanonicalName() + " is not final"); } provider.setName(config.getName());
src/security/security-tests/src/test/java/org/geoserver/security/auth/GeoServerRootAuthenticationProviderTest.java+13 −0 modified@@ -12,6 +12,7 @@ import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import org.geoserver.security.GeoServerSecurityManager; import org.geoserver.security.GeoServerSecurityTestSupport; import org.geoserver.security.impl.GeoServerUser; import org.geoserver.security.password.MasterPasswordProviderConfig; @@ -50,12 +51,14 @@ public void testRootProvider() throws Exception { assertNull(provider.authenticate(token)); String masterPassword = getMasterPassword(); + // We need to enable Master Root login first MasterPasswordProviderConfig masterPasswordConfig = getSecurityManager() .loadMasterPassswordProviderConfig( getSecurityManager().getMasterPasswordConfig().getProviderName()); masterPasswordConfig.setLoginEnabled(true); getSecurityManager().saveMasterPasswordProviderConfig(masterPasswordConfig); + token = new UsernamePasswordAuthenticationToken(GeoServerUser.ROOT_USERNAME, masterPassword); token.setDetails("hallo"); UsernamePasswordAuthenticationToken result = (UsernamePasswordAuthenticationToken) provider.authenticate(token); @@ -64,5 +67,15 @@ public void testRootProvider() throws Exception { assertNull(result.getCredentials()); assertEquals(GeoServerUser.ROOT_USERNAME, result.getPrincipal()); assertEquals("hallo", result.getDetails()); + + try { + System.setProperty(GeoServerSecurityManager.GEOSERVER_ROOT_LOGIN_ENABLED, "false"); + assertNull("disable root login", provider.authenticate(token)); + + System.setProperty(GeoServerSecurityManager.GEOSERVER_ROOT_LOGIN_ENABLED, "true"); + assertNotNull("enable root login", provider.authenticate(token)); + } finally { + System.getProperties().remove(GeoServerSecurityManager.GEOSERVER_ROOT_LOGIN_ENABLED); + } } }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
3News mentions
0No linked articles in our index yet.