Search
Find a vulnerability
Search criteria
2 vulnerabilities found for core-geonetwork by geonetwork
CVE-2024-32037 (GCVE-0-2024-32037)
Vulnerability from nvd – Published: 2025-02-11 21:50 – Updated: 2025-02-12 15:37
VLAI
Title
GeoNetwork vulnerable to search end-point information disclosure in response headers
Summary
GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/geonetwork/core-geonetwork/sec… | x_refsource_CONFIRM |
| https://docs.geonetwork-opensource.org/4.4/api/search | x_refsource_MISC |
| https://github.com/geonetwork/core-geonetwork/rel… | x_refsource_MISC |
| https://github.com/geonetwork/core-geonetwork/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| geonetwork | core-geonetwork |
Affected:
< 4.2.10
Affected: >= 4.4.0, < 4.4.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T15:37:36.526856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:37:46.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core-geonetwork",
"vendor": "geonetwork",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.10"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T21:50:29.138Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-52rf-25hq-5m33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-52rf-25hq-5m33"
},
{
"name": "https://docs.geonetwork-opensource.org/4.4/api/search",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geonetwork-opensource.org/4.4/api/search"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5"
}
],
"source": {
"advisory": "GHSA-52rf-25hq-5m33",
"discovery": "UNKNOWN"
},
"title": "GeoNetwork vulnerable to search end-point information disclosure in response headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32037",
"datePublished": "2025-02-11T21:50:29.138Z",
"dateReserved": "2024-04-09T15:29:35.939Z",
"dateUpdated": "2025-02-12T15:37:46.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-32037 (GCVE-0-2024-32037)
Vulnerability from cvelistv5 – Published: 2025-02-11 21:50 – Updated: 2025-02-12 15:37
VLAI
Title
GeoNetwork vulnerable to search end-point information disclosure in response headers
Summary
GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/geonetwork/core-geonetwork/sec… | x_refsource_CONFIRM |
| https://docs.geonetwork-opensource.org/4.4/api/search | x_refsource_MISC |
| https://github.com/geonetwork/core-geonetwork/rel… | x_refsource_MISC |
| https://github.com/geonetwork/core-geonetwork/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| geonetwork | core-geonetwork |
Affected:
< 4.2.10
Affected: >= 4.4.0, < 4.4.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T15:37:36.526856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T15:37:46.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core-geonetwork",
"vendor": "geonetwork",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.10"
},
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 0,
"baseSeverity": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T21:50:29.138Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-52rf-25hq-5m33",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-52rf-25hq-5m33"
},
{
"name": "https://docs.geonetwork-opensource.org/4.4/api/search",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geonetwork-opensource.org/4.4/api/search"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5"
}
],
"source": {
"advisory": "GHSA-52rf-25hq-5m33",
"discovery": "UNKNOWN"
},
"title": "GeoNetwork vulnerable to search end-point information disclosure in response headers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32037",
"datePublished": "2025-02-11T21:50:29.138Z",
"dateReserved": "2024-04-09T15:29:35.939Z",
"dateUpdated": "2025-02-12T15:37:46.364Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}