CVE-2024-24749 Overview
GeoServer is an open source server for sharing and editing geospatial data. CVE-2024-24749 is a path traversal vulnerability [CWE-22] in the GeoWebCache ByteStreamController class that affects GeoServer deployments on Windows running under Apache Tomcat. Attackers can bypass existing input validation to read arbitrary classpath resources with specific file name extensions. When GeoServer is deployed as a web archive using the embedded data directory in geoserver.war, the flaw can be leveraged to read resources sufficient to gain administrator privileges. The issue is fixed in versions 2.23.5 and 2.24.3.
Critical Impact
Unauthenticated remote attackers can read sensitive classpath resources and, in embedded data directory deployments, escalate to GeoServer administrator access.
Affected Products
- GeoServer versions prior to 2.23.5
- GeoServer 2.24.x versions prior to 2.24.3
- Deployments on Microsoft Windows using Apache Tomcat as the application server
Discovery Timeline
- 2024-07-01 - CVE-2024-24749 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-24749
Vulnerability Analysis
The vulnerability resides in the GeoWebCache ByteStreamController class, which serves static resources over HTTP. Input validation logic intended to constrain requested paths fails to account for Windows-specific path semantics when GeoServer runs on Apache Tomcat. As a result, attackers can craft request paths that escape the intended resource directory and reach arbitrary classpath resources whose file name extensions match the controller's allow list.
Because the bypass operates over the network and requires no authentication or user interaction, any reachable GeoServer instance matching the affected configuration is exposed. The impact is limited to confidentiality, but the disclosed data can be highly sensitive.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The ByteStreamController validation routines did not normalize Windows path separators and traversal sequences before resolving the resource location. Attackers leveraged this gap to traverse outside the intended cache directory and read files served from the application classpath.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the GeoWebCache endpoint exposed by GeoServer. Using Windows-style path traversal sequences, the request resolves to a classpath resource outside the controller's intended scope. In deployments using the data directory embedded in geoserver.war, the attacker can read resources containing default administrator credentials and authenticate to the GeoServer administration interface. Production deployments using an external data directory are not vulnerable to the privilege escalation outcome, since standalone installers and binaries always use an external directory.
No verified public proof-of-concept code is available. Technical details are documented in GitHub Security Advisory GHSA-jhqx-5v5g-mpf3 and GitHub Pull Request #1211.
Detection Methods for CVE-2024-24749
Indicators of Compromise
- HTTP requests to GeoWebCache ByteStreamController paths containing backslash sequences, encoded backslashes (%5c), or ..\ traversal patterns
- Successful HTTP 200 responses to GeoWebCache resource requests referencing file names outside expected cache directories
- Unexpected administrator logins to GeoServer originating from external IP addresses shortly after suspicious GeoWebCache requests
Detection Strategies
- Inspect web server and reverse proxy logs for request URIs targeting the GeoWebCache controller with path traversal characters or unusual file extensions
- Alert on anonymous access to GeoWebCache administration and status pages, which should normally require authentication
- Correlate GeoWebCache resource access events with subsequent authentication events against the GeoServer administration console
Monitoring Recommendations
- Enable verbose access logging on Apache Tomcat for the GeoServer context and forward logs to a centralized analytics platform
- Monitor outbound configuration changes and user account modifications in GeoServer following any anomalous GeoWebCache traffic
- Track GeoServer version inventory to confirm upgraded instances remain at 2.23.5, 2.24.3, or later
How to Mitigate CVE-2024-24749
Immediate Actions Required
- Upgrade GeoServer to version 2.23.5, 2.24.3, or later as documented in the vendor advisory
- Identify and inventory all GeoServer deployments running on Windows with Apache Tomcat to prioritize patching
- Verify that production deployments use an external data directory rather than the directory embedded in geoserver.war
- Rotate GeoServer administrator credentials if the embedded data directory was in use on a vulnerable instance
Patch Information
The upstream fix is committed in the GeoWebCache repository at commit c7f76bd8a1d67c3b986146e7a5e0b14dd64a8fef. The fix is included in GeoServer 2.23.5 and 2.24.3. Full details are published in GitHub Security Advisory GHSA-jhqx-5v5g-mpf3.
Workarounds
- Migrate the GeoServer host from Windows to Linux, which is not affected by the path normalization gap
- Replace Apache Tomcat with the Jetty application server for GeoServer deployments that must remain on Windows
- Disable anonymous access to the embedded GeoWebCache administration and status pages
# Example: restrict GeoWebCache admin endpoints in Tomcat web.xml
# Require authentication for /gwc/* paths
<security-constraint>
<web-resource-collection>
<web-resource-name>GeoWebCache Admin</web-resource-name>
<url-pattern>/gwc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
