GeoNetwork 4.2.9 & 4.4.4 Exposes ES Vendor via Response Headers
CVE-2024-32037 Published on February 11, 2025
GeoNetwork vulnerable to search end-point information disclosure in response headers
GeoNetwork is a catalog application to manage spatially referenced resources. In versions prior to 4.2.10 and 4.4.5, the search end-point response headers contain information about Elasticsearch software in use. This information is valuable from a security point of view because it allows software used by the server to be easily identified. GeoNetwork 4.4.5 and 4.2.10 fix this issue. No known workarounds are available.
Vulnerability Analysis
CVE-2024-32037 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity and availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2024-32037 has been classified to as an Information Disclosure vulnerability or weakness.
Affected Versions
core-geonetwork:- Version < 4.2.10 is affected.
- Version >= 4.4.0, < 4.4.5 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-32037
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.geonetwork-opensource:gn-services | >= 4.4.0, < 4.4.5 | 4.4.5 |
| maven | org.geonetwork-opensource:gn-services | < 4.2.10 | 4.2.10 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.