GeoServer's Server Status page and REST API (at /geoserver/rest/about/status) lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens, for example: Data stores defined with parameterized catalog settings (-DALLOW_ENV_PARAMETRIZATION=true) which need a password or access key. GeoServer's official Docker image uses environment variables to configure PostgreSQL JNDI resources, including credentials (POSTGRES_HOST, POSTGRES_USERNAME, POSTGRES_PASSWORD) Additionally, many community-developed GeoServer container images export other credentials from their start-up scripts as environment variables to the GeoServer (java) process, such as: GeoServer admin and master (root) passwords Tomcat management application password HTTPS/TLS certificate key store password AWS S3 bucket access keys The precise scope of the issue depends on which container image is used and how it is configured. [!NOTE] Some container images allow passing secrets as files (eg: POSTGRES_PASSWORD_FILE), or randomly generating passwords on start-up. While this is promoted as best-practice[^secret-files], if its start-up script exports these as environment variables to GeoServer, they are also impacted by this issue. Impact The “about status” API endpoint (at /geoserver/rest/about/status) which powers…Read More