On 01-07-2024 16:43, Jody Garnett wrote:
I am not sure we have been notified about that vulnerability, searching
my email this you are the first.
Just because someone has opened a CVE does not indicate they have
contacted the open source project at all. Please forward to
geoserver-security email list (see security policy). It would be helpful
if you describe what steps you have already taken to verify so the
volunteers do not duplicate your effort.
in fact, just because someone managed to open a CVE record it does not
mean there is an actual vulnerability.
The records at NIST
https://nvd.nist.gov/vuln/detail/CVE-2023-5786
provide a link to
https://github.com/Qxyday/GeoServe---unauthorized
That seems to be the original input and exploit. (based on the
descriptions and that page I fail to see any vulnerability at all!)
Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5
years old and no longer used in project-supported versions of GeoServer
afaik.
Mark
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
