CVE-2024-36401: Remote Code Execution (RCE) vulnerability in geoserver
(updated )
Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
References
- github.com/Warxim/CVE-2022-41852?tab=readme-ov-file
- github.com/advisories/GHSA-6jj6-gm7p-fcvv
- github.com/geoserver/geoserver
- github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
- github.com/geotools/geotools/pull/4797
- github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- nvd.nist.gov/vuln/detail/CVE-2024-36401
- osgeo-org.atlassian.net/browse/GEOT-7587
- www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
Code Behaviors & Features
Detect and mitigate CVE-2024-36401 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →