CVE-2024-32037: 
Java vulnerability analysis and mitigation

GeoNetwork, a catalog application for managing spatially referenced resources, was found to have a security vulnerability in versions prior to 4.2.10 and 4.4.5. The vulnerability (CVE-2024-32037) was discovered where the search end-point response headers contained information about Elasticsearch software in use. The issue was disclosed on February 11, 2025, and affects all versions of GeoNetwork before 4.2.10 and 4.4.5 (GitHub Advisory).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability is network accessible, requires low attack complexity, needs no privileges or user interaction, has unchanged scope, and only impacts confidentiality (GitHub Advisory).

The vulnerability allows software used by the server to be easily identified through the search end-point response headers, which exposes sensitive information about the Elasticsearch software in use. This information disclosure could be valuable from a security perspective as it enables attackers to identify specific software versions running on the server (GitHub Advisory).

The vulnerability has been fixed in GeoNetwork versions 4.4.5 and 4.2.10. Users are advised to upgrade to these patched versions as no known workarounds are available (GitHub Advisory).

The vulnerability was reported by the Ministry of Economic Affairs and Climate Policy, The Netherlands, demonstrating the involvement of government entities in identifying and reporting security issues in open-source software (GitHub Advisory).