CVE-2024-36401
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
2.5
Description
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
CISA KEV
- Vendor
- OSGeo
- Product
- GeoServer
- Due date
- 2024-08-05
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
{Vendor advisory: cisa-kev โ This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401}
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Metasploit modules
Source code queued for fetch โ refresh in a moment.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.geoserver.web:gs-web-app | >=2.24.0,<2.24.4 | 2.24.4 |
| Maven | org.geoserver:gs-wfs | >=2.24.0,<2.24.4 | 2.24.4 |
| Maven | org.geoserver:gs-wms | >=2.24.0,<2.24.4 | 2.24.4 |
| Maven | org.geoserver.web:gs-web-app | >=2.25.0,<2.25.2 | 2.25.2 |
| Maven | org.geoserver:gs-wfs | >=2.25.0,<2.25.2 | 2.25.2 |
| Maven | org.geoserver:gs-wms | >=2.25.0,<2.25.2 | 2.25.2 |
| Maven | org.geoserver.web:gs-web-app | >=2.23.0,<2.23.6 | 2.23.6 |
| Maven | org.geoserver:gs-wfs | >=2.23.0,<2.23.6 | 2.23.6 |
| Maven | org.geoserver:gs-wms | >=2.23.0,<2.23.6 | 2.23.6 |
| Maven | org.geoserver.web:gs-web-app | <2.22.6 | 2.22.6 |
| Maven | org.geoserver:gs-wfs | <2.22.6 | 2.22.6 |
| Maven | org.geoserver:gs-wms | <2.22.6 | 2.22.6 |
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- https://nvd.nist.gov/vuln/detail/CVE-2024-36401
- https://github.com/geotools/geotools/pull/4797
- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
- https://github.com/geoserver/geoserver
- https://osgeo-org.atlassian.net/browse/GEOT-7587
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
- https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
- This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.