Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-2p76-gc46-5fvc

GitHub Security Advisory

GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint

✓ GitHub Reviewed HIGH
View on GitHub

Advisory Details

### Impact

GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.

This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files

### Patches

GeoNetwork 4.4.8 / 4.2.13.

### Workarounds

Remove the ``gn-wfsfeature-harvester`` and ``gn-camelPeriodicProducer`` jars, disabling the WFS Index functionality.

### References

- [GHSA-826p-4gcg-35vw](https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw)
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812

Affected Packages

Maven org.geonetwork-opensource:gn-web-app
Affected versions: 4.4.0 (fixed in 4.4.8)
Maven org.geonetwork-opensource:gn-web-app
Affected versions: 4.2.0 (fixed in 4.2.13)
Maven org.geonetwork-opensource:gn-wfsfeature-harvester
Affected versions: 4.4.0 (fixed in 4.4.8)
Maven org.geonetwork-opensource:gn-wfsfeature-harvester
Affected versions: 4.2.0 (fixed in 4.2.13)

Key Information

GHSA ID
GHSA-2p76-gc46-5fvc
Published
June 10, 2025 8:10 PM
Last Modified
June 10, 2025 8:10 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.geonetwork-opensource:gn-web-app
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 17, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.