GHSA-7QMG-GRCP-QF25

Vulnerability from github – Published: 2026-06-12 18:23 – Updated: 2026-06-12 18:23
VLAI
Summary
GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page
Details

Summary

A vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.

Details

When dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default which allows an administrator to place malicious code into their password which could then be dumped into a JSP file.

Impact

Remote Code Execution (High severity)

This vulnerability can lead to executing arbitrary code if GeoServer is deployed in an environment where an attacker can dynamically deploy and execute a JSP file. This is possible if the geoserver.war file is simply placed into the webapps directory of a default Tomcat installation.

NTLM Hash Disclosure (Moderate severity)

If GeoServer is deployed in a Windows operating system and the GeoServer administrator does not already have access to the Windows account running the GeoServer process, it may be possible for the administrator to make GeoServer trigger an outbound NTLM request to a remote, attacker-controlled server and gain access to the NTLM hash or user password for use in future attacks.

Denial of Service (Low severity)

This vulnerability allows writing a file to any location where the GeoServer process has write permissions which could still potentially cause some kind of denial of service.

Mitigation

GeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.

Resources

https://osgeo-org.atlassian.net/browse/GEOS-11852 https://github.com/geoserver/geoserver/pull/8584

Severity
7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.27.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.27.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-sec-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.27.0"
            },
            {
              "fixed": "2.27.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-sec-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.26.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.geoserver.web:gs-web-app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.26.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T18:23:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA vulnerability exists that allows an authenticated administrator with access to GeoServer\u0027s security system to pass arbitrary file names to the Master Password Dump web page and create files containing the master password in plaintext. The provided file name must be an absolute path to the target file, the target file can not already exist and all parent directories must already exist.\n\n### Details\nWhen dumping the master password, GeoServer will use the provided file name with minimal validation as long as it is a java.io.File path. The only limitation is that the fix for a previous, unrelated vulnerability prevents relative path traversal here but absolute paths can be used to access arbitrary files. GeoServer does not enforce a maximum password length by default which allows an administrator to place malicious code into their password which could then be dumped into a JSP file.\n\n### Impact\n#### Remote Code Execution (High severity)\nThis vulnerability can lead to executing arbitrary code if GeoServer is deployed in an environment where an attacker can dynamically deploy and execute a JSP file. This is possible if the geoserver.war file is simply placed into the webapps directory of a default Tomcat installation.\n\n#### NTLM Hash Disclosure (Moderate severity)\nIf GeoServer is deployed in a Windows operating system and the GeoServer administrator does not already have access to the Windows account running the GeoServer process, it may be possible for the administrator to make GeoServer trigger an outbound NTLM request to a remote, attacker-controlled server and gain access to the NTLM hash or user password for use in future attacks.\n\n#### Denial of Service (Low severity)\nThis vulnerability allows writing a file to any location where the GeoServer process has write permissions which could still potentially cause some kind of denial of service.\n\n### Mitigation\nGeoServer installations where the web interface is either disabled or completely removed are not affected since the vulnerability exists in one of the web pages.\n\n### Resources\nhttps://osgeo-org.atlassian.net/browse/GEOS-11852\nhttps://github.com/geoserver/geoserver/pull/8584",
  "id": "GHSA-7qmg-grcp-qf25",
  "modified": "2026-06-12T18:23:28Z",
  "published": "2026-06-12T18:23:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-7qmg-grcp-qf25"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geoserver/geoserver/pull/8584"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geoserver/geoserver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoServer has an arbitrary file write vulnerability in its Master Password Dump Page"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.