CVE-2023-41877: 
Java vulnerability analysis and mitigation

GeoServer, an open source software server written in Java for sharing and editing geospatial data, contains a path traversal vulnerability (CVE-2023-41877) affecting versions 2.23.4 and prior. The vulnerability was discovered and disclosed on March 20, 2024. The issue requires GeoServer Administrator access to the admin console to misconfigure the Global Settings for log file location to an arbitrary location (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) that allows an administrator to set arbitrary log file locations through the Global Settings. The admin console GeoServer Logs page then provides a preview of these contents, potentially exposing sensitive information. The vulnerability has received a CVSS v3.1 score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high privileges required (NVD).

The vulnerability can be exploited to read arbitrary files via the admin console GeoServer Logs page. Additionally, it can be leveraged for Remote Code Execution (RCE) or cause denial of service by overwriting key GeoServer files (GitHub Advisory).

As a workaround, system administrators can use the GEOSERVERLOGFILE parameter to override any configuration option provided by the Global Settings page. The GEOSERVERLOGLOCATION parameter can be set as a system property, environment variable, or servlet context parameter. No patch has been released as of the disclosure date, as the vulnerability requires administrator access (GitHub Advisory, GeoServer Docs).