CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-32037: GeoNetwork vulnerable to search end-point information disclosure in response headers

0.0 CVSS

Description

GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available.

Classification

CVE ID: CVE-2024-32037

CVSS Base Severity: NONE

CVSS Base Score: 0.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Affected Products

Vendor: geonetwork

Product: core-geonetwork

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.37% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-52rf-25hq-5m33
https://docs.geonetwork-opensource.org/4.4/api/search
https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10
https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5

Timeline

2025-02-11 23:15:37 UTC
Github Advisory Database (Maven)

[org.geonetwork-opensource:gn-services] GeoNetwork search end-point information disclosure in response headers
2025-02-12 00:31:32 UTC
CVE

GeoNetwork vulnerable to search end-point information disclosure in response headers