CVE-2024-32037 - GeoNetwork Information Leakage via Search End-Point Response Headers in Versions Prior to 4.2.10 and 4.4.5

GeoNetwork is a popular open-source catalog application that allows users to easily manage spatially referenced resources in order to facilitate better discovery and sharing of information. However, some versions of the platform have recently been found to contain an information leakage vulnerability (CVE-2024-32037) that may expose important information about the underlying Elasticsearch software being used by the server. In this long read post, we will take an in-depth look at this vulnerability, including sample code snippets, original references, and exploit details.

Vulnerability Details

CVE-2024-32037 affects GeoNetwork versions prior to 4.2.10 and 4.4.5. In these versions, the search end-point response headers contain information about the Elasticsearch software in use on the server. This information leakage may allow an attacker to easily identify the software being used and then target known vulnerabilities and weaknesses within that software.

The following code snippet demonstrates a sample response header in GeoNetwork prior to version 4.2.10 or 4.4.5:

HTTP/1.1 200 OK
Date: Tue, 26 Oct 2024 23:52:13 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 4024

{
  "took": 26,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "failed": 
  },
  "hits": {
    ...
  }
}

As you can see, information about the Elasticsearch software in use is included in the response header. This is valuable from a security point of view because it potentially allows attackers to easily identify the software and then target known vulnerabilities and weaknesses within that specific software.

Official References and Resources

The official CVE record for CVE-2024-32037 can be found at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32037.

In addition, the official GeoNetwork GitHub repository contains documentation on the vulnerability as well as patch details: https://github.com/geonetwork/core-geonetwork/blob/main/SECURITY.md.

Exploit Details

There is currently no known exploit that takes advantage of this information leakage vulnerability. However, attackers that gain knowledge of the specific Elasticsearch version being used in a vulnerable GeoNetwork instance might be able to utilize existing exploits targeting known Elasticsearch vulnerabilities.

Fix and Patch

GeoNetwork versions 4.2.10 and 4.4.5 have been released and contain a fix for this vulnerability. It is highly recommended to upgrade to these versions to eliminate the potential risk caused by this information leakage. You can access the updated versions in the GitHub release page:

- GeoNetwork 4.2.10: https://github.com/geonetwork/core-geonetwork/releases/tag/4.2.10
- GeoNetwork 4.4.5: https://github.com/geonetwork/core-geonetwork/releases/tag/4.4.5

It is also worth noting that there are currently no known workarounds for this vulnerability. Users are therefore strongly encouraged to upgrade their GeoNetwork installation to a patched version as soon as possible.

Conclusion

CVE-2024-32037 is an information leakage vulnerability in GeoNetwork versions prior to 4.2.10 and 4.4.5 that reveals details about the Elasticsearch software being used by the server. While no known exploits directly take advantage of this vulnerability, the information disclosed could be leveraged by attackers to target known weaknesses and vulnerabilities within the Elasticsearch software. To mitigate this risk, users are advised to upgrade to GeoNetwork 4.2.10 or 4.4.5 as soon as possible.

Timeline

Published on: 02/11/2025 22:15:27 UTC