Menu
▾
▴
Re: [Geoserver-users] Query regarding the reproduction steps of vulnerability CVE-2023-5786
|
From: Mark P. <mc....@gm...> - 2024-07-01 16:55:58
|
On 01-07-2024 16:43, Jody Garnett wrote: > I am not sure we have been notified about that vulnerability, searching > my email this you are the first. > > Just because someone has opened a CVE does not indicate they have > contacted the open source project at all. Please forward to > geoserver-security email list (see security policy). It would be helpful > if you describe what steps you have already taken to verify so the > volunteers do not duplicate your effort. > in fact, just because someone managed to open a CVE record it does not mean there is an actual vulnerability. The records at NIST https://nvd.nist.gov/vuln/detail/CVE-2023-5786 provide a link to https://github.com/Qxyday/GeoServe---unauthorized That seems to be the original input and exploit. (based on the descriptions and that page I fail to see any vulnerability at all!) Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 years old and no longer used in project-supported versions of GeoServer afaik. Mark |
