Data Management and Analytics

In GeoServer versions prior to 2.25.0 a critical severity vulnerability CVE-2024-34711 was detected. This vulnerability allows attackers to perform XML External Entity (XXE) attacks, enabling them to send GET requests to arbitrary HTTP servers. The flaw lies in improper URI validation in XML entity resolution, which can be exploited to scan internal networks and gather sensitive information. To address this issue, users should upgrade GeoServer to versions 2.25.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-34711.

In GeoServer versions prior to 2.24.4 and 2.25.2 a high severity vulnerability CVE-2024-29198 was detected. This vulnerability allows attackers to perform Server-Side Request Forgery (SSRF) via the Demo request endpoint if the Proxy Base URL has not been configured. To address this issue, users should upgrade GeoServer to versions 2.24.4 or 2.25.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-29198.

In Kibana versions before and including 8.12.0 a medium severity vulnerability CVE-2024-43706 was detected. This vulnerability allows attackers to abuse privileges through improper authorization by sending a direct HTTP request to a Synthetic monitor endpoint. To address this issue, users should update Kibana to versions 8.12.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-43706.

In GeoServer versions prior to 2.27.1, 2.26.3 and 2.25.7 a critical severity vulnerability CVE-2025-30220 was detected. This vulnerability allows attackers to exploit XML External Entity (XXE) injection due to improper use of the EntityResolver in the GeoTools Schema class, affecting XML parsing when external schemas are referenced. To address this issue, users should upgrade GeoServer to versions 2.27.1, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30220.

In GeoServer versions prior to 2.27.0, 2.26.3 and 2.25.7 a high severity vulnerability CVE-2025-30145 was detected. This vulnerability allows attackers to execute malicious Jiffle scripts as rendering transformations in WMS dynamic styles or WPS processes, potentially triggering an infinite loop and causing denial of service. To address this issue, users should upgrade GeoServer to versions 2.27.0, 2.26.3 or 2.25.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-30145.

In GeoServer versions prior to 2.26.3 and 2.25.6 a medium severity vulnerability CVE-2025-27505 was detected. This vulnerability allows attackers to bypass REST API access controls by appending file extensions (e.g., `.html`) to the `/rest` path, potentially disclosing information about installed extensions. To address this issue, users should upgrade GeoServer to versions 2.26.3 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27505.

In GeoServer versions prior to 2.26.0 a medium severity vulnerability CVE-2024-40625 was detected. This vulnerability allows attackers to upload arbitrary files via the Coverage REST API endpoint `/workspaces/{workspaceName}/coveragestores/{storeName}/url.{format}` by abusing the `url` method without proper restrictions. To address this issue, users should upgrade GeoServer to versions 2.26.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-40625.

In GeoServer versions prior to 2.26.2 and 2.25.6 a medium severity vulnerability CVE-2024-38524 was detected. This vulnerability allows users to access potentially sensitive information via the `GeoWebCacheDispatcher.handleFrontPage` method, as there is no default mechanism to hide storage locations unless a specific system property is manually configured. To address this issue, users should upgrade GeoServer to versions 2.26.2 or 2.25.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38524.

In Metabase versions 54.10 a medium severity vulnerability CVE-2025-5895 was detected. This vulnerability allows attackers to trigger inefficient regular expression complexity in the parseDataUri function (frontend/src/metabase/lib/dom.js), potentially leading to denial of service via remote exploitation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5895.