- Description
- GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- OSGeo GeoServer GeoTools Eval Injection Vulnerability
- Exploit added on
- Jul 15, 2024
- Exploit action due
- Aug 5, 2024
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- Hype score
- Not currently trending
A critical RCE vulnerability (CVE-2024-36401) in GeoServer puts systems at risk. Attackers can exploit unpatched versions of GeoServer via crafted requests. Learn more about the exploit and how OPSWAT solutions help mitigate exposure to this critical security risk. Read the htt
@OPSWAT
20 Mar 2025
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Recent vulnerability breakdowns include Androxgh0st Botnet Vulnerabilities, CVE-2024-36401 in GeoServer, and CVE-2023-1389 in TP-Link Archer AX21 Firmware. Providing detailed analysis to aid in understanding and mitigation.
@agentwhitehat
12 Jan 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-36401: Critical Vulnerability in GeoServer Allows RCE by Unauthenticated Users #unauthenticatedrce #rce #geoserverexploit #cve_2024_36401 #geoserver_rce https://t.co/Cm596jQFrc
@_havij
31 Dec 2024
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I made a nice shodan dork for CVE-2024-36401 shodan dork: http.html:"/ geoserver" http.title: "Geoserver" Valhalla 2.8 is private, but you can use the older version that's on github. #hacker #hackers #hacking #cybersecurity #programming #programmer #python #python3 https://t.co/C
@Zeddhacks
10 Dec 2024
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
İ made a nice shodan dork for CVE-2024-36401 shodan dork: http.html:"/ geoserver" http.title: "Geoserver" Valhalla 2.8 is private, but you can use the older version that's on github. https://t.co/dJCQ21MXfB
@yunus_huse99988
29 Nov 2024
14 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Top 5 Trending Security Vulnerabilities to Watch Out For: CVE-2024-44175 CVE-2024-37397 CVE-2024-7591 CVE-2024-36401 #infosec
@UAFnUg
28 Nov 2024
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-36401 GeoServer RCE poc https://t.co/j6su9PA2BM
@turne85540
28 Nov 2024
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2024-36401 GeoServer Remote Code Execution PoC https://t.co/ruPbIoz4R6
@DarkWebInformer
27 Nov 2024
3636 Impressions
9 Retweets
26 Likes
8 Bookmarks
3 Replies
0 Quotes
Our experts regularly update Core Impact's certified #exploit library. Get details on the latest additions, including CVE-2024-6769, CVE-2024-36401, CVE-2024-47176, CVE-2024-38054, CVE-2024-26230, CVE-2024-0799, CVE-2024-0800, and more. https://t.co/DziZgG9ccw https://t.co/gveK7y
@CoreSecurity
11 Nov 2024
401 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The CVE-2024-36401 vulnerability allows for Remote Code Execution with a CVSS score of 9.8, making it a significant risk for critical infrastructure. Earth Baxia is leveraging spear-phishing tactics to infiltrate systems and deploy advanced malware. https://t.co/iMaowb5MJp
@Shift6Security
4 Nov 2024
54 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-36401: GeoServer unauthenticated arbitrary code execution via XPath expression evaluation. Reported to government and space agencies over 4 months ago, yet many of them are still unpatched and exploitable with public PoC. Details and credits: https://t.co/zoiVfDguOW ht
@win3zz
3 Nov 2024
5580 Impressions
33 Retweets
116 Likes
69 Bookmarks
2 Replies
0 Quotes
El actor de amenazas Earth Baxia está explotando CVE-2024-36401, una vulnerabilidad de GeoServer, para lanzar ataques avanzados en países de APAC. Usan este exploit de ejecución remota de código para infiltrarse en los sistemas. Conoce más: https://t.co/2wrix6Hg9s https://t.co/6I
@TrendMicroES
29 Oct 2024
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
El actor de amenazas Earth Baxia está explotando CVE-2024-36401, una vulnerabilidad de GeoServer, para lanzar ataques avanzados en países de APAC. Utiliza este exploit de ejecución remota de código para infiltrarse en los sistemas. https://t.co/aYFeQbdO5O
@TrendMicroES
21 Oct 2024
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BE0EE582-FAE7-4528-9A5E-6E56EB1DE345",
"versionEndExcluding": "2.22.6"
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0069EB0E-BF96-47F5-8A02-13F9FA6C15D8",
"versionEndExcluding": "2.23.6",
"versionStartIncluding": "2.23.0"
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6A407E94-A7F2-4A4F-B96E-2B3DC8FF6DF3",
"versionEndExcluding": "2.24.4",
"versionStartIncluding": "2.24.0"
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "CFBAEC7A-6250-45FE-AB54-30D72C03F62D",
"versionEndExcluding": "2.25.2",
"versionStartIncluding": "2.25.0"
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "732DE428-3515-459F-AE5F-08407BA1A049",
"versionEndExcluding": "29.6"
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D3B2BC3D-0015-4E5D-979A-AB7D18185A57",
"versionEndExcluding": "30.4",
"versionStartIncluding": "30.0"
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "50BB4154-B19C-4BFD-8E88-9ED445680706",
"versionEndExcluding": "31.2",
"versionStartIncluding": "31.0"
}
],
"operator": "OR"
}
]
}
]