apk package
chainguard/geoserver-2.28-docker
pkg:apk/chainguard/geoserver-2.28-docker
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68161 | — | < 2.28.1-r3 | 2.28.1-r3 | Dec 18, 2025 | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co | ||
| CVE-2024-38819 | Hig | 7.5 | < 2.28.1-r1 | 2.28.1-r1 | Dec 19, 2024 | Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S | |
| CVE-2024-38828 | Med | 5.3 | < 2.28.1-r1 | 2.28.1-r1 | Nov 18, 2024 | Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. | |
| CVE-2023-35042 | — | < 2.28.0-r0 | 2.28.0-r0 | Jun 12, 2023 | GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in |
- CVE-2025-68161Dec 18, 2025affected < 2.28.1-r3fixed 2.28.1-r3
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
- affected < 2.28.1-r1fixed 2.28.1-r1
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S
- affected < 2.28.1-r1fixed 2.28.1-r1
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
- CVE-2023-35042Jun 12, 2023affected < 2.28.0-r0fixed 2.28.0-r0
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in