CVE-2024-29198

HIGH

Published 2025-06-10T14:27:39.485Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-29198. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

7.5

/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.000

probability

of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.110

Higher than 11.0% of all CVEs

Attack Vector Metrics

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Description

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.

Available Exploits

GeoServer Demo Request Endpoint - Server Side Request Forgery

It is possible to achieve Server Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the case of cloud instances, access to sensitive data.

ID: CVE-2024-29198

Author: iamnoooobpdresearch High

References:

Related News

No news articles found for this CVE.

Affected Products

geoserver

Affected Versions:

>= 2.0.0, < 2.24.4 >= 2.25.0, < 2.25.2

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost

Affected Products (ENISA)

geoserver

ENISA Scoring

CVSS Score (3.1)

7.5

/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

5.000

probability

ENISA References

https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw

https://nvd.nist.gov/vuln/detail/CVE-2021-40822

https://osgeo-org.atlassian.net/browse/GEOS-11390

https://osgeo-org.atlassian.net/browse/GEOS-11794

https://nvd.nist.gov/vuln/detail/CVE-2024-29198

Data provided by ENISA EU Vulnerability Database. Last updated: June 10, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost

GHSA-5gw5-jccf-6hxw

Advisory Details

### Summary It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. ### Details A unauthenticated user can supply a request that will be issued by the server. This can be used to enumerate internal networks and also in the case of cloud instances can be used to obtain sensitive data. ### Mitigation 1. When using GeoServer with a proxy, manage the proxy base value as a system administrator, use the application property ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request. 2. When using GeoServer directly without a proxy, block all access to TestWfsPost by editing the web.xml file. Adding this block right before the end: ```xml <security-constraint> <web-resource-collection> <web-resource-name>BlockDemoRequests</web-resource-name> <url-pattern>/TestWfsPost/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>BLOCKED</role-name> </auth-constraint> </security-constraint> ``` ### Resolution Upgrading to GeoServer 2.24.4, or 2.25.2, removes the ``TestWfsPost`` servlet resolving this issue. The demo request page functionality is now implemented directly in the browser. ### Reference - https://osgeo-org.atlassian.net/browse/GEOS-11794 - https://osgeo-org.atlassian.net/browse/GEOS-11390 - https://nvd.nist.gov/vuln/detail/CVE-2021-40822

Affected Packages

Maven org.geoserver:gs-wfs

ECOSYSTEM: ≥2.0.0 <2.24.4

Maven org.geoserver.web:gs-app

ECOSYSTEM: ≥2.0.0 <2.24.4

Maven org.geoserver:gs-wfs

ECOSYSTEM: ≥2.25.0 <2.25.2

Maven org.geoserver.web:gs-app

ECOSYSTEM: ≥2.25.0 <2.25.2

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

WEB https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-40822

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-29198

PACKAGE https://github.com/geoserver/geoserver

WEB https://osgeo-org.atlassian.net/browse/GEOS-11390

WEB https://osgeo-org.atlassian.net/browse/GEOS-11794

Advisory provided by GitHub Security Advisory Database. Published: June 10, 2025, Modified: June 10, 2025

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw

https://osgeo-org.atlassian.net/browse/GEOS-11390

https://osgeo-org.atlassian.net/browse/GEOS-11794

Published: 2025-06-10T14:27:39.485Z

Last Modified: 2025-06-17T19:12:00.664Z

Copied to clipboard!

CVE-2024-29198

Expert Analysis

CVSS Score

EPSS Score

Attack Vector Metrics

Impact Metrics

Description

Available Exploits

GeoServer Demo Request Endpoint - Server Side Request Forgery

References:

Related News

Affected Products

geoserver

Affected Versions:

EU Vulnerability Database

EU Coordination

Exploitation Status

EUVD ID

ENISA Analysis

Affected Products (ENISA)

ENISA Scoring

CVSS Score (3.1)

EPSS Score

ENISA References

GitHub Security Advisories

GeoServer Vulnerable to Unauthenticated SSRF via TestWfsPost

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!