CVE-2024-34711: 
Java vulnerability analysis and mitigation

GeoServer, an open source server for sharing and editing geospatial data, is affected by an improper URI validation vulnerability (CVE-2024-34711). The vulnerability enables unauthorized attackers to perform XML External Entities (XXE) attacks and send GET requests to any HTTP server. The issue was discovered in versions prior to 2.25.0, where GeoServer's PreventLocalEntityResolver class from GeoTools inadequately filtered malicious URIs in XML entities (GitHub Advisory).

The vulnerability stems from insufficient URI validation in XML processing. By default, GeoServer uses PreventLocalEntityResolver to filter URIs in XML entities, requiring them to match the regex pattern (?i)(jar:file|http|vfs)^?#;*.xsd. However, this regex pattern contains security gaps that allow attackers to make requests to any HTTP server or access limited files. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L (GitHub Advisory).

The vulnerability allows unauthenticated attackers to perform several malicious actions: scan internal networks to gather information for further exploitation, execute SSRF attacks to endpoints ending with .xsd, and read limited .xsd files on the system (GitHub Advisory).

Users should upgrade to GeoServer 2.25.0 or later, which defaults to using ENTITYRESOLUTIONALLOWLIST without requiring system property configuration. The built-in allowlist covers essential locations for OGC web services operation, including www.w3.org, schemas.opengis.net, www.opengis.net, and inspire.ec.europa.eu/schemas. For versions that cannot be upgraded, administrators can define the ENTITYRESOLUTIONALLOWLIST system property to limit supported external schema locations (GeoServer Docs, GitHub Advisory).