Skip to content

Geoserver for GeoNode sensitive information leak

Critical
giohappy published GHSA-87mh-vw7c-5v6w Mar 23, 2023

Package

geoserver-geonode-ext

Affected versions

=< 2.20.7

Patched versions

=< 2.20.7

Description

Impact

Anonymous users can obtain sensitive information about GeoNode configurations from the response of the /geoserver/rest/about/status Geoserver REST API endpoint. The Geoserver endpoint is secured by default, but the configuration of Geoserver for GeoNode opens a list of REST endpoints to support some of its public-facing services.

The vulnerability impacts both GeoNode 3 and GeoNode 4 instances.

Patches

Geoserver security configuration is provided by geoserver-geonode-ext. A patch for 2.20.7 has been released which blocks access to the affected endpoint.
The patch has been backported to branches 2.20.6, 2.19.7, 2.19.6 and 2.18.7
All the published artifacts and Docker images have been updated accordingly.

A more advanced patch has been applied to the master and development versions, which require some changes to GeoNode code. They will be available with the next 4.1.0 release.
By the way, the patch employed for the released version is equally effective.

Workarounds

The patched configuration only has an effect on new deployments. For existing setups, it must be applied manually inside the Geoserver data directory. The patched file must replace the existing <geoserver_datadir>/security/rest.properties file.

For a Docker setup:

  1. Assuming you have access to the server where the GeoNode container (django4myproject) is running
  2. Assuming you have permission to execute Docker commands
  3. Assuming you have saved this file containing the patch to your home folder (e.g. /home/myuser)

The following command will apply the patch to the Geoserver data directory:

>>docker cp /home/myuser/rest.properties django4myproject:/geoserver_data/data/security/

Geoserver will pick up the new configuration dynamically. No restart is required.
You can verify the patch has been applied by visiting the following endpoint (assuming https://mygeonode.org is the ULR for your GeoNode instance):

https://mygeonode.org/geoserver/rest/about/status

A prompt for credentials should appear in place of the response.

Severity

Critical

CVE ID

CVE-2023-28442

Weaknesses

No CWEs

Credits