GeoNetwork affected by XML External Entity (XXE) processing vulnerability in WFS indexing REST API endpoint
Impact
GeoNetwork WFS Index functionality is affected by GeoTools XML External Entity (XXE) vulnerability during schema validation.
This vulnerability is particularly severe as the REST API endpoint was not secured, potentially allowing unauthenticated attackers to read sensitive files
Patches
GeoNetwork 4.4.8 / 4.2.13.
Workarounds
Remove the gn-wfsfeature-harvester and gn-camelPeriodicProducer jars, disabling the WFS Index functionality.
References
- GHSA-826p-4gcg-35vw
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
| Software | From | Fixed in |
|---|---|---|
org.geonetwork-opensource / gn-web-app
|
4.4.0 | 4.4.8 |
|
org.geonetwork-opensource / gn-web-app
|
4.2.0 | 4.2.13 |
|
org.geonetwork-opensource / gn-wfsfeature-harvester
|
4.4.0 | 4.4.8 |
|
org.geonetwork-opensource / gn-wfsfeature-harvester
|
4.2.0 | 4.2.13 |
- https://github.com/geonetwork/core-geonetwork/pull/8757
- https://github.com/geonetwork/core-geonetwork/pull/8803
- https://github.com/geonetwork/core-geonetwork/pull/8812
- https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc
- https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime