What is the CVSS score of CVE-2024-38524?

CVE-2024-38524 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.2%.

Which versions of Geoserver are affected by CVE-2024-38524?

Organizations using GeoServer should be aware of moderate risk from CVE-2024-38524, a information exposure vulnerability rated CVSS 5.3.. A patch is available.

Is there a public PoC exploit available for CVE-2024-38524?

Yes, a public proof-of-concept exploit is available for CVE-2024-38524. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2024-38524?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.

Geoserver CVE-2024-38524

EUVD-2025-17668 MEDIUM

Information Exposure (CWE-200)

2025-06-10 security-advisories@github.com

GHSA-jm79-7xhw-6f6f

Information Disclosure Geoserver

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17668

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

Patch released

Mar 14, 2026 - 19:49 nvd

Patch available

PoC Detected

Aug 26, 2025 - 16:22 vuln.today

Public exploit code

CVE Published

Jun 10, 2025 - 15:15 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.

Analysis

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2024-38524 vulnerability details – vuln.today

Back

Geoserver CVE-2024-38524

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code