Russian Vulnerability Scanner Database

Back to List

CVE-2024-36401

Scores

EPSS

0.944High94.4%
0%20%40%60%80%100%

Percentile: 94.4%

CVSS

9.8Critical3.x
0246810

CVSS Score: 9.8/10

All CVSS Scores

CVSS 3.x
9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to ALL GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.

Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the gt-complex-x.y.jar file from the GeoServer where x.y is the GeoTools version (e.g., gt-complex-31.1.jar if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.
Learn more about Scaner-VS 7

Sources

anchore_overridesnvd

CWEs

CWE-94

Related Vulnerabilities

BDU:2024-04974

Exploits

Exploit ID: CVE-2024-36401

Source: cisa

URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Vulnerable Software (5)

Type: Configuration

Operating System:

Trait: 
{
  "children": [
    {
      "cpe_match": [
        {
          "cpe23uri": "cpe:2.3:a:org.geoserver.web:gs-web-app:*:*:*:*:*:maven:*:*",
          "versionEndExcluding": "2.23.6"
        },
        ...

Source: anchore_overrides

Type: Configuration

Operating System:

Trait: 
{
  "children": [
    {
      "cpe_match": [
        {
          "cpe23uri": "cpe:2.3:a:org.geoserver:gs-wfs:*:*:*:*:*:maven:*:*",
          "versionEndExcluding": "2.23.6"
        },
        {
      ...

Source: anchore_overrides

Type: Configuration

Operating System:

Trait: 
{
  "children": [
    {
      "cpe_match": [
        {
          "cpe23uri": "cpe:2.3:a:org.geoserver:gs-wms:*:*:*:*:*:maven:*:*",
          "versionEndExcluding": "2.23.6"
        },
        {
      ...

Source: anchore_overrides

Type: Configuration

Vendor: geoserver

Product: geoserver

Operating System: * * *

Trait: 
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "2.23.6",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:ge...

Source: nvd

Type: Configuration

Vendor: geotools

Product: geotools

Operating System: * * *

Trait: 
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
      "versionEndExcluding": "2.23.6",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:ge...

Source: nvd