Advisories for Maven/Org.geoserver/Gs-Wfs package

2024

Remote Code Execution (RCE) vulnerability in geoserver

Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

2023

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

** DISPUTED ** GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version.