Hi All, In light of the recent-ish CVE: https://www.opencve.io/cve/CVE-2024-36401 I am going around and checking our geoserver versions to check if they are vulnerable. I am a little stumped.
We use the official geoserver images tagged 'docker.osgeo.org/geoserver:2.24.x'. In the web interface of a geoserver so running, the version is reported as 2.24-SNAPSHOT. According to the CVE, versions prior to 2.24.4 are vulnerable. Now I think we're fine in practice, because the build date is reported as 2024-07-05 and 24.4.4 was released 3 weeks ago, but still. I can't anything in the geoserver documentation that details what exactly the SNAPSHOT version is. Is there a good way to confirm whether or not the geoserver is vulnerable to CVE-2024-36401 with some amount of certainty? Many Thanks Max _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
