CVE-2024-24749 – This vulnerability in GeoServer allows attacker... (How to Fix)

Q: What is the severity of CVE-2024-24749?

CVE-2024-24749 has a CVSS score of 7.5 (HIGH). This vulnerability in GeoServer allows attackers to bypass input validation and read arbitrary classpath resources with specific file extensions when deployed on Windows with Apache Tomcat. If using an embedded data directory (rare in production), it could lead to administrator privilege escalation. Affected are GeoServer deployments on Windows with Apache Tomcat prior to versions 2.23.5 and 2.24.3.

📋 TL;DR

This vulnerability in GeoServer allows attackers to bypass input validation and read arbitrary classpath resources with specific file extensions when deployed on Windows with Apache Tomcat. If using an embedded data directory (rare in production), it could lead to administrator privilege escalation. Affected are GeoServer deployments on Windows with Apache Tomcat prior to versions 2.23.5 and 2.24.3.

💻 Affected Systems

Products:

GeoServer
GeoWebCache

Versions: All versions prior to 2.23.5 and 2.24.3

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when deployed on Windows with Apache Tomcat. Embedded data directory configuration (rare in production) increases risk significantly.

📦 What is this software?

Geoserver by Geoserver

View all CVEs affecting Geoserver →

Geoserver by Geoserver

View all CVEs affecting Geoserver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrator privileges if using embedded data directory, allowing attacker control over geospatial data server.

🟠

Likely Case

Information disclosure of sensitive classpath resources, potentially exposing configuration files, credentials, or other sensitive data.

🟢

If Mitigated

Limited impact with proper external data directory configuration and access controls in place.

🌐 Internet-Facing: MEDIUM - Exploitable remotely if GeoWebCache endpoints are exposed, but requires specific Windows/Tomcat configuration.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if vulnerable configuration exists within network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific file extension targeting and Windows path traversal knowledge. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.23.5 or 2.24.3

Vendor Advisory: https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3

Restart Required: Yes

Instructions:

1. Download GeoServer 2.23.5 or 2.24.3 from official sources. 2. Backup current configuration and data. 3. Deploy updated WAR file or install updated version. 4. Restart application server. 5. Verify functionality.

🔧 Temporary Workarounds

Switch to Linux environment

all

Migrate GeoServer deployment from Windows to Linux operating system

Change application server to Jetty

windows

Replace Apache Tomcat with Jetty application server

Disable anonymous GeoWebCache access

all

Restrict access to GeoWebCache administration and status pages

Configure authentication in web.xml or application security settings

🧯 If You Can't Patch

Implement strict network segmentation to isolate GeoServer from untrusted networks
Deploy web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check GeoServer version via web interface (Settings → About) or examine WAR file version. Verify deployment on Windows with Apache Tomcat.

Check Version:

curl -s http://geoserver-host:port/geoserver/web/ | grep -i 'version' or check web interface

Verify Fix Applied:

Confirm version is 2.23.5 or higher (2.23.x branch) or 2.24.3 or higher (2.24.x branch). Test path traversal attempts return proper error responses.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to GeoWebCache endpoints with path traversal patterns
Multiple failed attempts to access classpath resources
Requests for specific file extensions (.properties, .xml, .txt)

Network Indicators:

HTTP requests containing '../' patterns to GeoServer endpoints
Unusual traffic to /geoserver/gwc/rest paths

SIEM Query:

source="*geoserver*" AND (uri="*..*" OR uri="*gwc*" OR user_agent="*scanner*")

📊 Metadata

CVE ID: CVE-2024-24749

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: July 1, 2024

Last Updated: November 4, 2025

🔗 References

https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef Patch
https://github.com/GeoWebCache/geowebcache/pull/1211 Issue Tracking
https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3 Patch,Vendor Advisory
http://seclists.org/fulldisclosure/2024/Feb/13
https://github.com/GeoWebCache/geowebcache/commit/c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef Patch
https://github.com/GeoWebCache/geowebcache/pull/1211 Issue Tracking
https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24749, you might also want to check these: