GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.
This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:
- GeoServer 220.127.116.11 (bin, war, dmg and exe) – stable release
- GeoServer 2.6.4 (bin, war, dmg and exe) – maintenance release
- GeoServer 18.104.22.168 (bin, war, and exe)
If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:
- Keep exploit details out of issue report (send to developer/PSC privately – just like you would do for sensitive sample data)
- Be prepared to work with Project Steering Committee (PSC) members on a solution
- Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at email@example.com.
We will be revising the GeoServer Developers Guide to clarify in the coming days.