CVE-2024-36401

Published Jul 1, 2024

Last updated 3 days ago

Overview

Description
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Source
security-advisories@github.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
OSGeo GeoServer GeoTools Eval Injection Vulnerability
Exploit added on
Jul 15, 2024
Exploit action due
Aug 5, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

security-advisories@github.com
CWE-95
nvd@nist.gov
CWE-94

Social media

Hype score
Not currently trending
  1. 陌 made a nice shodan dork for CVE-2024-36401 shodan dork: http.html:"/ geoserver" http.title: "Geoserver" Valhalla 2.8 is private, but you can use the older version that's on github. https://t.co/dJCQ21MXfB

    @yunus_huse99988

    29 Nov 2024

    14 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Top 5 Trending Security Vulnerabilities to Watch Out For: CVE-2024-44175 CVE-2024-37397 CVE-2024-7591 CVE-2024-36401 #infosec

    @UAFnUg

    28 Nov 2024

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-36401 GeoServer RCE poc https://t.co/j6su9PA2BM

    @turne85540

    28 Nov 2024

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 馃毃CVE-2024-36401 GeoServer Remote Code Execution PoC https://t.co/ruPbIoz4R6

    @DarkWebInformer

    27 Nov 2024

    3636 Impressions

    9 Retweets

    26 Likes

    8 Bookmarks

    3 Replies

    0 Quotes

  5. Our experts regularly update Core Impact's certified #exploit library. Get details on the latest additions, including CVE-2024-6769, CVE-2024-36401, CVE-2024-47176, CVE-2024-38054, CVE-2024-26230, CVE-2024-0799, CVE-2024-0800, and more. https://t.co/DziZgG9ccw https://t.co/gveK7y

    @CoreSecurity

    11 Nov 2024

    401 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. The CVE-2024-36401 vulnerability allows for Remote Code Execution with a CVSS score of 9.8, making it a significant risk for critical infrastructure. Earth Baxia is leveraging spear-phishing tactics to infiltrate systems and deploy advanced malware. https://t.co/iMaowb5MJp

    @Shift6Security

    4 Nov 2024

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2024-36401: GeoServer unauthenticated arbitrary code execution via XPath expression evaluation. Reported to government and space agencies over 4 months ago, yet many of them are still unpatched and exploitable with public PoC. Details and credits: https://t.co/zoiVfDguOW ht

    @win3zz

    3 Nov 2024

    5580 Impressions

    33 Retweets

    116 Likes

    69 Bookmarks

    2 Replies

    0 Quotes

  8. El actor de amenazas Earth Baxia est谩 explotando CVE-2024-36401, una vulnerabilidad de GeoServer, para lanzar ataques avanzados en pa铆ses de APAC. Usan este exploit de ejecuci贸n remota de c贸digo para infiltrarse en los sistemas. Conoce m谩s: https://t.co/2wrix6Hg9s https://t.co/6I

    @TrendMicroES

    29 Oct 2024

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. El actor de amenazas Earth Baxia est谩 explotando CVE-2024-36401, una vulnerabilidad de GeoServer, para lanzar ataques avanzados en pa铆ses de APAC. Utiliza este exploit de ejecuci贸n remota de c贸digo para infiltrarse en los sistemas. https://t.co/aYFeQbdO5O

    @TrendMicroES

    21 Oct 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

Configurations