Vulnerabilites related to geotools - geotools
Vulnerability from fkie_nvd
Published
2024-07-01 16:15
Modified
2025-04-03 19:57
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
References
Impacted products
{
"cisaActionDue": "2024-08-05",
"cisaExploitAdd": "2024-07-15",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "OSGeo GeoServer GeoTools Eval Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE0EE582-FAE7-4528-9A5E-6E56EB1DE345",
"versionEndExcluding": "2.22.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0069EB0E-BF96-47F5-8A02-13F9FA6C15D8",
"versionEndExcluding": "2.23.6",
"versionStartIncluding": "2.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A407E94-A7F2-4A4F-B96E-2B3DC8FF6DF3",
"versionEndExcluding": "2.24.4",
"versionStartIncluding": "2.24.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFBAEC7A-6250-45FE-AB54-30D72C03F62D",
"versionEndExcluding": "2.25.2",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "732DE428-3515-459F-AE5F-08407BA1A049",
"versionEndExcluding": "29.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D3B2BC3D-0015-4E5D-979A-AB7D18185A57",
"versionEndExcluding": "30.4",
"versionStartIncluding": "30.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50BB4154-B19C-4BFD-8E88-9ED445680706",
"versionEndExcluding": "31.2",
"versionStartIncluding": "31.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Antes de las versiones 2.23.6, 2.24.4 y 2.25.2, varios par\u00e1metros de solicitud de OGC permit\u00edan la ejecuci\u00f3n remota de c\u00f3digo (RCE) por parte de usuarios no autenticados a trav\u00e9s de entradas especialmente dise\u00f1adas en una instalaci\u00f3n predeterminada de GeoServer debido a la evaluaci\u00f3n insegura de nombres de propiedades como expresiones XPath. La API de la librer\u00eda GeoTools a la que llama GeoServer eval\u00faa los nombres de propiedades/atributos para tipos de entidades de una manera que los pasa de manera insegura a la librer\u00eda commons-jxpath, que puede ejecutar c\u00f3digo arbitrario al evaluar expresiones XPath. Esta evaluaci\u00f3n XPath est\u00e1 destinada a ser utilizada \u00fanicamente por tipos de funciones complejas (es decir, almacenes de datos de esquemas de aplicaci\u00f3n), pero tambi\u00e9n se aplica incorrectamente a tipos de funciones simples, lo que hace que esta vulnerabilidad se aplique a **TODAS** las instancias de GeoServer. No se proporciona ninguna PoC p\u00fablica, pero se ha confirmado que esta vulnerabilidad es explotable a trav\u00e9s de solicitudes WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic y WPS Execute. Esta vulnerabilidad puede llevar a la ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 2.23.6, 2.24.4 y 2.25.2 contienen un parche para el problema. Existe una workaround eliminando el archivo `gt-complex-xyjar` del GeoServer donde `xy` es la versi\u00f3n de GeoTools (por ejemplo, `gt-complex-31.1.jar` si ejecuta GeoServer 2.25.1). Esto eliminar\u00e1 el c\u00f3digo vulnerable de GeoServer, pero puede interrumpir algunas funciones de GeoServer o evitar que GeoServer se implemente si se necesita el m\u00f3dulo gt-complex."
}
],
"id": "CVE-2024-36401",
"lastModified": "2025-04-03T19:57:04.207",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T16:15:04.120",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-95"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-21 21:15
Modified
2024-11-21 07:49
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C176DA1D-2F0C-4851-B8F2-4E4B89EF846A",
"versionEndExcluding": "24.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DEC4D52-9DB7-4B98-B303-A85A25B2FF99",
"versionEndExcluding": "25.7",
"versionStartIncluding": "25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41A8AAAE-AD5F-480B-B4E3-1856A7A5F3EB",
"versionEndExcluding": "26.7",
"versionStartIncluding": "26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6675E1F5-3717-414F-A839-4DE8F36FE1D0",
"versionEndExcluding": "27.4",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F011666-B3FF-4EA0-833B-E9738097FDAB",
"versionEndExcluding": "28.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation."
}
],
"id": "CVE-2023-25158",
"lastModified": "2024-11-21T07:49:13.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-21T21:15:11.157",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 21:15
Modified
2024-11-21 06:51
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F68492E7-1B2A-4854-B4EE-921899EC15D9",
"versionEndExcluding": "24.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEC38324-CCBF-46BE-9D58-1D821EAB22D9",
"versionEndExcluding": "25.6",
"versionStartIncluding": "25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3235DAF-46D9-4ACD-8D36-467B26513BA7",
"versionEndExcluding": "26.4",
"versionStartIncluding": "26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
},
{
"lang": "es",
"value": "GeoTools es una biblioteca Java de c\u00f3digo abierto que proporciona herramientas para datos geoespaciales. La biblioteca GeoTools presenta una serie de fuentes de datos que pueden llevar a cabo b\u00fasquedas JNDI no verificadas, que a su vez pueden ser usadas para llevar a cabo una deserializaci\u00f3n de clases y resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario. Al igual que en el caso de Log4J, la vulnerabilidad puede desencadenarse si los nombres JNDI son proporcionados por el usuario, pero requiere un inicio de sesi\u00f3n a nivel de administrador para activarse. Las b\u00fasquedas est\u00e1n ahora restringidas en GeoTools versi\u00f3n 26.4, GeoTools versi\u00f3n 25.6 y GeoTools versi\u00f3n 24.6. Los usuarios que no puedan actualizar deben asegurarse de que cualquier aplicaci\u00f3n posterior no permita el uso de cadenas JNDI proporcionadas de forma remota"
}
],
"id": "CVE-2022-24818",
"lastModified": "2024-11-21T06:51:09.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T21:15:07.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-25158 (GCVE-0-2023-25158)
Vulnerability from cvelistv5
Published
2023-02-21 20:57
Modified
2025-03-10 21:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"name": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:06.366397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:23.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003e= 28.0, \u003c 28.2"
},
{
"status": "affected",
"version": "\u003c 27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:57:47.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"name": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
}
],
"source": {
"advisory": "GHSA-99c3-qc2q-p94m",
"discovery": "UNKNOWN"
},
"title": "Unfiltered SQL Injection in Geotools"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25158",
"datePublished": "2023-02-21T20:57:47.754Z",
"dateReserved": "2023-02-03T16:59:18.244Z",
"dateUpdated": "2025-03-10T21:07:23.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24818 (GCVE-0-2022-24818)
Vulnerability from cvelistv5
Published
2022-04-13 20:55
Modified
2025-04-23 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
References
| ► | URL | Tags |
|---|---|---|
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:30.478274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:40:15.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0, \u003c 26.4"
},
{
"status": "affected",
"version": "\u003e= 25.0, \u003c 25.6"
},
{
"status": "affected",
"version": "\u003c 24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T20:55:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
],
"source": {
"advisory": "GHSA-jvh2-668r-g75x",
"discovery": "UNKNOWN"
},
"title": "Unchecked JNDI lookups in GeoTools",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24818",
"STATE": "PUBLIC",
"TITLE": "Unchecked JNDI lookups in GeoTools"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "geotools",
"version": {
"version_data": [
{
"version_value": "\u003e= 26.0, \u003c 26.4"
},
{
"version_value": "\u003e= 25.0, \u003c 25.6"
},
{
"version_value": "\u003c 24.6"
}
]
}
}
]
},
"vendor_name": "geotools"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x",
"refsource": "CONFIRM",
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"name": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"refsource": "MISC",
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
]
},
"source": {
"advisory": "GHSA-jvh2-668r-g75x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24818",
"datePublished": "2022-04-13T20:55:12.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:40:15.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36404 (GCVE-0-2024-36404)
Vulnerability from cvelistv5
Published
2024-07-02 13:39
Modified
2024-08-02 03:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Summary
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "29.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "30.4",
"status": "affected",
"version": "30.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "31.2",
"status": "affected",
"version": "31.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T03:55:24.839633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T12:17:05.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003c 29.6"
},
{
"status": "affected",
"version": "\u003e= 30.0, \u003c 30.4"
},
{
"status": "affected",
"version": "\u003e= 31.0, \u003c 31.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one\u0027s application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T13:39:35.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
}
],
"source": {
"advisory": "GHSA-w3pj-wh35-fq8w",
"discovery": "UNKNOWN"
},
"title": "GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36404",
"datePublished": "2024-07-02T13:39:35.716Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36401 (GCVE-0-2024-36401)
Vulnerability from cvelistv5
Published
2024-07-01 15:25
Modified
2025-07-30 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.23.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.24.4",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.25.2",
"status": "affected",
"version": "2.25.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36401",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T03:55:17.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:00.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-07-15T00:00:00+00:00",
"value": "CVE-2024-36401 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.6"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
},
{
"status": "affected",
"version": "\u003c 2.22.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:55:46.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
}
],
"source": {
"advisory": "GHSA-6jj6-gm7p-fcvv",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36401",
"datePublished": "2024-07-01T15:25:41.873Z",
"dateReserved": "2024-05-27T15:59:57.030Z",
"dateUpdated": "2025-07-30T01:37:00.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}