Summary
A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.
Details
When dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default which allows an administrator to place malicious code into their password which could then be dumped into a JSP file.
Impact
Remote Code Execution (High severity)
This vulnerability can lead to executing arbitrary code if GeoServer is deployed in an environment where an attacker can dynamically deploy and execute a JSP file. This is possible if the geoserver.war file is simply placed into the webapps directory of a default Tomcat installation.
NTLM Hash Disclosure (Moderate severity)
If GeoServer is deployed in a Windows operating system and the GeoServer administrator does not already have access to the Windows account running the GeoServer process, it may be possible for the administrator to make GeoServer trigger an outbound NTLM request to a remote, attacker-controlled server and gain access to the NTLM hash or user password for use in future attacks.
Denial of Service (Low severity)
This vulnerability allows writing a file to any location where the GeoServer process has write permissions which could still potentially cause some kind of denial of service.
Mitigation
GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11852
geoserver/geoserver#8584
References
YacineF Reporter
sikeoka Remediation developer
partywavesec Reporter
jodygarnett Remediation developer
Summary
A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.
Details
When dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default which allows an administrator to place malicious code into their password which could then be dumped into a JSP file.
Impact
Remote Code Execution (High severity)
This vulnerability can lead to executing arbitrary code if GeoServer is deployed in an environment where an attacker can dynamically deploy and execute a JSP file. This is possible if the geoserver.war file is simply placed into the webapps directory of a default Tomcat installation.
NTLM Hash Disclosure (Moderate severity)
If GeoServer is deployed in a Windows operating system and the GeoServer administrator does not already have access to the Windows account running the GeoServer process, it may be possible for the administrator to make GeoServer trigger an outbound NTLM request to a remote, attacker-controlled server and gain access to the NTLM hash or user password for use in future attacks.
Denial of Service (Low severity)
This vulnerability allows writing a file to any location where the GeoServer process has write permissions which could still potentially cause some kind of denial of service.
Mitigation
GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.
Resources
https://osgeo-org.atlassian.net/browse/GEOS-11852
geoserver/geoserver#8584
References