Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.5.5.1, 2.6.4, 2.7.1.1, 2.8-M0, 2.8-beta
    • Fix Version/s: 2.7.3, 2.8-beta
    • Component/s: Vulnerability
    • Labels:
      None

      Description

      Hello,

      as part of security research I've found an exploitable bypass of the XXE fix of the 2.7.1.1 release, which renders the fix useless.

      In order to avoid direct risk to customers (including mine) running GeoServer (even the current 2.7.1.1 release) I do not yet post any exploitation details here, unless you ask me to post it here. Better contact me directly for information about the bypass and the steps to fix it (mail@Christian-Schneider.net).

      Best regards & many thanks,
      Christian Schneider

      @cschneider4711

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                tbarsballe Torben Barsballe
                Reporter:
                cschneider4711 Christian Schneider
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: