Data Management and Analytics

In Grafana versions before 11.6.2 a low severity vulnerability CVE-2025-1088 was detected. This vulnerability allows excessively long dashboard titles or panel names to cause Chromium-based browsers to become unresponsive due to improper input validation. To address this issue, users should upgrade Grafana to versions 11.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1088.

In Kibana versions before and including 8.12.0 a medium severity vulnerability CVE-2024-43706 was detected. This vulnerability allows attackers to abuse privileges through improper authorization by sending a direct HTTP request to a Synthetic monitor endpoint. To address this issue, users should update Kibana to versions 8.12.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43706.

In GeoServer versions prior to 2.25.0 a critical severity vulnerability CVE-2024-34711 was detected. This vulnerability allows attackers to perform XML External Entity (XXE) attacks, enabling them to send GET requests to arbitrary HTTP servers. The flaw lies in improper URI validation in XML entity resolution, which can be exploited to scan internal networks and gather sensitive information. To address this issue, users should upgrade GeoServer to versions 2.25.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-34711.

In GeoServer versions prior to 2.24.4 and 2.25.2 a high severity vulnerability CVE-2024-29198 was detected. This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) via the Demo request endpoint if the Proxy Base URL has not been configured. To address this issue, users should upgrade GeoServer to versions 2.24.4 or 2.25.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-29198.

In GeoServer versions prior to 2.27.1, 2.26.3 and 2.25.7 a critical severity vulnerability CVE-2025-30220 was detected. This vulnerability allows attackers to exploit XML External Entity (XXE) injection due to improper use of the EntityResolver in the GeoTools Schema class, affecting XML parsing when external schemas are referenced. To address this issue, users should upgrade GeoServer to versions 2.27.1, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30220.

In GeoServer versions prior to 2.27.0, 2.26.3 and 2.25.7 a high severity vulnerability CVE-2025-30145 was detected. This vulnerability allows attackers to execute malicious Jiffle scripts as rendering transformations in WMS dynamic styles or WPS processes, potentially triggering an infinite loop and causing denial of service. To address this issue, users should upgrade GeoServer to versions 2.27.0, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30145.

In GeoServer versions prior to 2.26.3 and 2.25.6 a medium severity vulnerability CVE-2025-27505 was detected. This vulnerability allows attackers to bypass REST API access controls by appending file extensions (e.g., `.html`) to the `/rest` path, potentially disclosing information about installed extensions. To address this issue, users should upgrade GeoServer to versions 2.26.3 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27505.

In GeoServer versions prior to 2.26.0 a medium severity vulnerability CVE-2024-40625 was detected. This vulnerability allows attackers to upload arbitrary files via the Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/url.{format}` by abusing the `url` method without proper restrictions. To address this issue, users should upgrade GeoServer to versions 2.26.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40625.

In GeoServer versions prior to 2.26.2 and 2.25.6 a medium severity vulnerability CVE-2024-38524 was detected. This vulnerability allows users to access potentially sensitive information via the `GeoWebCacheDispatcher.handleFrontPage` method, as there is no default mechanism to hide storage locations unless a specific system property is manually configured. To address this issue, users should upgrade GeoServer to versions 2.26.2 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38524.