New blog post up: Remote Execution Vulnerability
GeoServer has encountered an remote execution vulnerability in the REST API (used for remote administration).
This vulnerability GEOS-7124 is addressed in the following scheduled releases:
- GeoServer 2.8.0 – stable
- GeoServer 2.7.3 – maintenance
- GeoServer 2.6.5 – archived
Thanks to Andrea Aime (GeoSolutions) and Kevin Smith (Boundless) for both fixing this issue and back porting to the stable and maintenance series.
Users are encouraged to upgrade, keeping in mind exposure to this issue is limited to scripts using administrator credentials to access the REST API. Accounts making use of making use of gsconfig (Python Library) also make use of these facilities.
For more information check the blog post, and we would be happy to answer questions.
···
–
Jody Garnett