CVE-2024-36401

KEV

Published: Lug 01, 2024 Last Modified: Ott 24, 2025

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.

Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

AI Generated Translation

GeoServer è un server open source che consente agli utenti di condividere e modificare dati geospaziali. Prima delle versioni 2.22.6, 2.23.6, 2.24.4 e 2.25.2, più parametri di richiesta OGC permettevano l'esecuzione di codice remoto (RCE) da parte di utenti non autenticati attraverso input appositamente creati contro un'installazione di GeoServer di default, a causa della valutazione non sicura dei nomi delle proprietà come espressioni XPath.

L'API della libreria GeoTools chiamata da GeoServer valuta i nomi delle proprietà/attributi per i tipi di feature in modo che li passa in modo insicuro alla libreria commons-jxpath, che può eseguire codice arbitrario durante la valutazione delle espressioni XPath. Questa valutazione XPath è destinata ad essere utilizzata solo per tipi di feature complessi (ad esempio, data store Application Schema), ma viene erroneamente applicata anche ai tipi di feature semplici, rendendo questa vulnerabilità applicabile a **TUTTI** gli istanti di GeoServer. Non è fornito un PoC pubblico, ma questa vulnerabilità è stata confermata come sfruttabile tramite richieste WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic e WPS Execute. Questa vulnerabilità può portare all'esecuzione di codice arbitrario.

Le versioni 2.22.6, 2.23.6, 2.24.4 e 2.25.2 contengono una patch per il problema. È possibile applicare una soluzione temporanea rimuovendo il file `gt-complex-x.y.jar` da GeoServer, dove `x.y` rappresenta la versione di GeoTools (ad esempio, `gt-complex-31.1.jar` se si utilizza GeoServer 2.25.1). Questo rimuoverà il codice vulnerabile da GeoServer, ma potrebbe interrompere alcune funzionalità di GeoServer o impedire il deployment di GeoServer stesso se il modulo gt-complex è necessario.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,9443

Percentile

1,0th

Updated

EPSS Score Trend (Last 90 Days)

Improper Control of Generation of Code ('Code Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality Availability Non-Repudiation

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Integrity Availability Other Non-Repudiation

Potential Impacts:

Read Files Or Directories Read Application Data Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted, Java, JavaScript, Perl, PHP, Python, Ruby

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

Application

Geoserver by Geoserver

Product Information

Vendor Geoserver

Product Geoserver

Version Range Affected

From 2.23.0 (inclusive)

To 2.23.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version Range Affected

From 30.1 (inclusive)

To 30.4 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geoserver by Geoserver

Product Information

Vendor Geoserver

Product Geoserver

Version Range Affected

From 2.24.0 (inclusive)

To 2.24.4 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version 31.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version Range Affected

To 29.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version 31.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version Range Affected

From 31.1 (inclusive)

To 31.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geoserver by Geoserver

Product Information

Vendor Geoserver

Product Geoserver

Version Range Affected

To 2.22.6 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version 30.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geotools by Geotools

Product Information

Vendor Geotools

Product Geotools

Version 30.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Geoserver by Geoserver

Product Information

Vendor Geoserver

Product Geoserver

Version Range Affected

From 2.25.0 (inclusive)

To 2.25.2 (exclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

https://www.cisa.gov/known-exploited-vulnerabilities-catalo…

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024…

https://github.com/geoserver/geoserver/security/advisories/…

https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv

https://github.com/geotools/geotools/pull/4797

https://github.com/geotools/geotools/security/advisories/GH…

https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file…

https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-…

https://osgeo-org.atlassian.net/browse/GEOT-7587

https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-20…

https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401

https://github.com/geoserver/geoserver/security/advisories/…

https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv

https://github.com/geotools/geotools/pull/4797

https://github.com/geotools/geotools/security/advisories/GH…

https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file…

https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-…

https://osgeo-org.atlassian.net/browse/GEOT-7587

CVE-2024-36401

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 90 Days)

Improper Control of Generation of Code ('Code Injection')

Common Consequences

Applicable Platforms

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Common Consequences

Applicable Platforms

Geoserver by Geoserver

Product Information

Geotools by Geotools

Product Information

Geoserver by Geoserver

Product Information

Geotools by Geotools

Product Information

Geotools by Geotools

Product Information

Geotools by Geotools

Product Information

Geotools by Geotools

Product Information

Geoserver by Geoserver

Product Information

Geotools by Geotools

Product Information

Geotools by Geotools

Product Information

Geoserver by Geoserver

Product Information

Iscriviti alla newsletter