CVE-2024-38524
published 2025-06-10CVE-2024-38524: GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
29.0th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.25.6 | 2.25.6 |
| geoserver | geoserver | — | — |
| osgeo | geoserver | < 2.25.6 | 2.25.6 |
| osgeo | geoserver | >= 2.26.0 < 2.26.2 | 2.26.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GWC Home Page communicate version and revision information
ghsa·2025-06-10
CVE-2024-38524 [MEDIUM] CWE-200 GWC Home Page communicate version and revision information
GWC Home Page communicate version and revision information
### Summary
The GeoWebCache home page includes version and revision information about the software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified.
### Details
org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations.
### PoC
Just open http://localhost:8080/geoserver/gwc/
### Impact
In addition to exposing the version and revision information, the home page will expose the config file and storage locations which may expose the system'
OSV
GWC Home Page communicate version and revision information
osv·2025-06-10
CVE-2024-38524 [MEDIUM] GWC Home Page communicate version and revision information
GWC Home Page communicate version and revision information
### Summary
The GeoWebCache home page includes version and revision information about the software in use. This information is sensitive from a security point of view because it allows software used by the server to be easily identified.
### Details
org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations.
### PoC
Just open http://localhost:8080/geoserver/gwc/
### Impact
In addition to exposing the version and revision information, the home page will expose the config file and storage locations which may expose the system'
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-10
Published