Summary
GeoServer's Server Status page and REST API (at /geoserver/rest/about/status) lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message.
These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example:
Data stores defined with parameterized catalog settings (
-DALLOW_ENV_PARAMETRIZATION=true) which need a password or access key.GeoServer's official Docker image uses environment variables to configure PostgreSQL JNDI resources, including credentials (
POSTGRES_HOST,POSTGRES_USERNAME,POSTGRES_PASSWORD)
Additionally, many community-developed GeoServer container images export other credentials from their start-up scripts as environment variables to the GeoServer (java) process, such as:
GeoServer
adminand master (root) passwordsTomcat management application password
HTTPS/TLS certificate key store password
AWS S3 bucket access keys
The precise scope of the issue depends on which container image is used and how it is configured.
[!NOTE]
Some container images allow passing secrets as files (eg: POSTGRES_PASSWORD_FILE), or randomly generating passwords on start-up. While this is promoted as best-practice[^secret-files], if its start-up script exports these as environment variables to GeoServer, they are also impacted by this issue.
Fixes / remediation
GeoServer 2.24.4 and 2.25.1 hide all environment variables and Java system properties by default, with no further action required by GeoServer administrators.
There are new settings to allow an administrator to display these again, effectively reverting this security fix. We strongly recommend administrators leave these settings as-is, and use alternative mechanisms to access environment variables (instructions below).
If you're using GeoServer in a container runtime (such as Docker or Kubernetes) or from some other distributor's packages, you'll need to wait for the maintainer to update the version of GeoServer used in their image.
[!WARNING]
If you run GeoServer with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true), a GeoServer administrator could use this to access any environment variable or Java property by including it in some field which is rendered by the UI (such as the description field), even with this fix.
Advice for container / Docker image maintainers
Update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix.
Please leave environment variables and Java system properties hidden by default. If you provide the option to re-enable it, communicate the impact and risks so that users can make an informed choice.
Container images should practice "defence in depth", to limit the impact when it is configured to show environment variables and/or properties:
Pass secrets to the container as either:
- files which are only readable by the GeoServer process/UID, or,
- references (identifiers) to a secret stored in a cloud provider's metadata or secret management service
Pass secrets to GeoServer by generating configuration files as part of your start-up scripts, rather than passing variables/properties or relying on parameterized catalog settings.
Ensure any configuration files with secrets are not readable by other users.
Clear all environment variables which contain secrets before starting GeoServer.
Alternatively: start up GeoServer with only the environment variables it needs, and no secrets.
Don't pass secrets as command-line flags, these are shown in
psto all users!
Alternatives for displaying GeoServer's environment variables
On Linux, you can get all environment variables set at start-up time for a running process with:
tr '\0' '\n' < /proc/${GEOSERVER_PID}/environOn Windows, SysInternals' Process Explorer can show running processes' environment variables.
Current versions of macOS do not allow arbitrary access to other running processes' environment variables. Disabling these restrictions (on a macOS level) would significantly reduce the overall security of the system.
[^secret-files]: Docker Compose: How to use secrets in Docker Compose, Docker Swarm: Build support for Docker Secrets into your images
Impact
The “about status” API endpoint (at /geoserver/rest/about/status) which powers the Server Status page is only available to administrators.
Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).
By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials (ie: requires XSS).
We were unable to determine any other conditions under which the GeoServer REST API may be available more broadly.
CVE-2024-34696 has a CVSS score of 4.5 (Medium). The vector is network-reachable, high privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.24.4, 2.25.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
org.geoserver.web:gs-web-app to 2.24.4 or later; org.geoserver.web:gs-web-app to 2.25.1 or later; org.geoserver:gs-main to 2.24.4 or later; org.geoserver:gs-main to 2.25.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-34696? CVE-2024-34696 is a medium-severity security vulnerability in org.geoserver.web:gs-web-app (maven), affecting versions >= 2.10.0, < 2.24.4. It is fixed in 2.24.4, 2.25.1.
- How severe is CVE-2024-34696? CVE-2024-34696 has a CVSS score of 4.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2024-34696?
org.geoserver.web:gs-web-app(maven) (versions >= 2.10.0, < 2.24.4)org.geoserver:gs-main(maven) (versions >= 2.10.0, < 2.24.4)
- Is there a fix for CVE-2024-34696? Yes. CVE-2024-34696 is fixed in 2.24.4, 2.25.1. Upgrade to this version or later.
- Is CVE-2024-34696 exploitable, and should I be worried? Whether CVE-2024-34696 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-34696 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-34696?
- Upgrade
org.geoserver.web:gs-web-appto 2.24.4 or later - Upgrade
org.geoserver.web:gs-web-appto 2.25.1 or later - Upgrade
org.geoserver:gs-mainto 2.24.4 or later - Upgrade
org.geoserver:gs-mainto 2.25.1 or later
- Upgrade