Geonetwork
Approved changes feed: RSS · Atom
cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Osgeo (706646bf-cac0-5b16-9ff6-83d28fd0444b) |
|---|---|
| Product | Geonetwork (37753974-c015-573e-ae24-5ab1c282ea2a) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:docker/geonetwork |
purl2cpe | 2026-06-01 10:12:16.140457 |
pkg:github/geonetwork/core-geonetwork |
purl2cpe | 2026-06-01 10:12:16.140459 |
pkg:sourceforge/geonetwork |
purl2cpe | 2026-06-01 10:12:16.140462 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-30220 |
vulnerable | 2026-06-08 07:16:59.314716 |
GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling
CRITICAL (9.9)
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
Published: 2025-06-10T15:16:39.339Z
Updated: 2025-06-10T17:13:09.180Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-32037 |
vulnerable | 2026-06-08 06:35:32.657325 |
GeoNetwork vulnerable to search end-point information disclosure in response headers
NONE
GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available.
Published: 2025-02-11T21:50:29.138Z
Updated: 2025-02-12T15:37:46.364Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2022-50899 |
vulnerable | 2026-06-08 05:52:03.673418 |
Geonetwork 4.2.0 - XML External Entity (XXE)
MEDIUM (6.5)
Geonetwork 3.10 through 4.2.0 contains an XML external entity vulnerability in PDF rendering that allows attackers to retrieve arbitrary files from the server. Attackers can exploit the insecure XML parser by crafting a malicious XML document with external entity references to read system files through the baseURL parameter in PDF creation requests.
Published: 2026-01-13T22:51:45.416Z
Updated: 2026-05-14T02:07:00.169Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-28398 |
vulnerable | 2026-06-08 05:31:24.165191 |
Details available
A privileged attacker in GeoNetwork before 3.12.0 and 4.x before 4.0.4 can use the directory harvester before-script to execute arbitrary OS commands remotely on the hosting infrastructure. A User Administrator or Administrator account is required to perform this. This occurs in the runBeforeScript method in harvesters/src/main/java/org/fao/geonet/kernel/harvest/harvester/localfilesystem/LocalFilesystemHarvester.java. The earliest affected version is 3.4.0.
Published: 2022-09-05T16:09:29.000Z
Updated: 2024-08-03T21:40:14.221Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.