Sikeoka

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.25.7 GeoServer versions prior to 2.26.3 GeoServer versions prior to 2.27.0 **Description** The issue allows malicious Jiffle scripts to be executed, potentially triggering a denial of service through an infinite loop. This can occur when the scripts are used as a rendering transformation in WMS dynamic styles or as a WPS process. **Recommendations** For versions prior to 2.25.7, update to version 2.25.7 or later. For versions prior to 2.26.3, update to version 2.26.3 or later. For versions prior to 2.27.0, update to version 2.27.0 or later. As a temporary workaround, consider disabling WMS dynamic styling and the Jiffle process to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.25.6 GeoServer versions prior to 2.26.3 **Description** The issue allows bypassing the default REST API security, enabling access to the index page. This is possible because the REST API security does not handle 'rest' with an extension (e.g., rest.html). The REST API index can disclose whether certain extensions are installed. **Recommendations** For versions prior to 2.25.6, update to version 2.25.6 or later. For versions prior to 2.26.3, update to version 2.26.3 or later. As a temporary workaround, in ${GEOSERVER DATA DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2 GeoTools versions prior to 29.6, 30.4, and 31.2 **Description** GeoServer, an open-source server used for sharing and editing geospatial data, contains a Remote Code Execution (RCE) vulnerability. This flaw is due to unsafe evaluation of property names as XPath expressions, allowing unauthenticated users to execute arbitrary code through specially crafted input. The vulnerability exists because the GeoTools library API used by GeoServer improperly handles property/attribute names for feature types, passing them unsafely to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This issue affects all GeoServer instances. Multiple threat actors are actively exploiting this vulnerability to deploy malware, including crypto miners, botnets, and backdoors. Recent campaigns involve the use of spear-phishing techniques and the exploitation of the vulnerability to monetize victims' bandwidth. The Earth Baxia APT group has been observed targeting government and energy sectors in the APAC region using this vulnerability. The vulnerability has been exploited in attacks against a U.S. federal agency, resulting in lateral movement and the deployment of web shells. **Recommendations** GeoServer versions prior to 2.22.6: Update to version 2.22.6 or later. GeoServer versions prior to 2.23.6: Update to version 2.23.6 or later. GeoServer versions prior to 2.24.4: Update to version 2.24.4 or later. GeoServer versions prior to 2.25.2: Update to version 2.25.2 or later. GeoTools versions prior to 29.6: Update to version 29.6 or later. GeoTools versions prior to 30.4: Update to version 30.4 or later. GeoTools versions prior to 31.2: Update to version 31.2 or later.

**Name of the Vulnerable Software and Affected Versions** GeoTools versions prior to 31.2 GeoTools versions prior to 30.4 GeoTools versions prior to 29.6 **Description** GeoTools is an open source Java library that provides tools for geospatial data. Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. **Recommendations** For versions prior to 31.2, consider updating to version 31.2 or later. For versions prior to 30.4, consider updating to version 30.4 or later. For versions prior to 29.6, consider updating to version 29.6 or later. As a temporary workaround, consider removing the `gt-complex` jar from the application to operate with reduced functionality. Alternatively, for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0, utilize a drop-in replacement GeoTools jar from SourceForge.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.4 and 2.24.1 **Description** A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the WMS GetMap SVG Output Format with the Simple SVG renderer enabled. Access to the WMS SVG Format is available to all users by default, although data and service security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users. **Recommendations** For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider disabling the Simple SVG renderer in the WMS GetMap SVG Output Format until a patch is available. Restrict access to the WMS SVG Format to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.3 and 2.24.1 **Description** A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the WMS GetMap OpenLayers Output Format. Access to the WMS OpenLayers Format is available to all users by default, although data and service security may limit users' ability to trigger the XSS. **Recommendations** For versions prior to 2.23.3, update to version 2.23.3 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the WMS OpenLayers Format to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.4 and 2.24.1 **Description** A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the "MapML HTML Page". The MapML extension must be installed, and access to the MapML HTML Page is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users. **Recommendations** For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider disabling the MapML extension until a patch is available. Restrict access to the MapML HTML Page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.4 and 2.24.1 **Description** A stored cross-site scripting (XSS) vulnerability exists in GeoServer that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another user's browser when viewed in the GWC Demos Page. Access to the GWC Demos Page is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users. **Recommendations** For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the GWC Demos Page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.2 and 2.24.1 **Description** A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in the GeoServer catalog. This payload will execute in the context of another administrator’s browser when viewed in the "GWC Seed Form". Access to the GWC Seed Form is limited to full administrators by default, and granting non-administrators access to this endpoint is not recommended. **Recommendations** For versions prior to 2.23.2, update to version 2.23.2 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the GWC Seed Form to only full administrators to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.4 and 2.24.1 **Description** An arbitrary file upload vulnerability exists that enables an authenticated administrator with permissions to modify coverage stores through the "REST Coverage Store API" to upload arbitrary file contents to arbitrary file locations, which can lead to remote code execution. Coverage stores configured using relative paths have validation to prevent path traversal, but those using absolute paths do not. This issue can lead to executing arbitrary code, and an administrator with limited privileges could potentially exploit it to overwrite GeoServer security files and obtain full administrator privileges. Over 73,743 instances may be at risk. **Recommendations** For versions prior to 2.23.4, update to version 2.23.4 or later. For versions prior to 2.24.1, update to version 2.24.1 or later. As a temporary workaround, consider restricting access to the `REST Coverage Store API` to minimize the risk of exploitation. Avoid using absolute paths for coverage stores until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.5 and 2.24.2 **Description** An arbitrary file renaming issue exists, allowing an authenticated administrator with permissions to modify stores through the REST Coverage Store or Data Store API to rename arbitrary files and directories with a name that does not end in `.zip`. This issue can result in a denial of service, either by preventing GeoServer from running or by effectively deleting specific resources. The impact of renaming non-GeoServer files depends on the environment, but a denial of service is likely. The API endpoints involved are "http://localhost:8080/geoserver/rest/workspaces/a/coveragestores/b/external.geotiff" and "http://localhost:8080/geoserver/rest/workspaces/a/datastores/b/external.c". The `Content-Type` header is set to `application/zip` in the requests. **Recommendations** For versions prior to 2.23.5, update to version 2.23.5 or later. For versions prior to 2.24.2, update to version 2.24.2 or later. As a temporary workaround, consider restricting access to the REST Coverage Store and Data Store API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.23.3 and 2.24.0 **Description** A stored cross-site scripting (XSS) issue exists that enables an authenticated administrator with workspace-level privileges to store a JavaScript payload in uploaded style/legend resources or in a specially crafted datastore file. This payload will execute in the context of another user's browser when viewed in the Style Publisher. Access to the Style Publisher is available to all users, although data security may limit users' ability to trigger the XSS. If an attacker can control a script that is executed in the victim's browser, they can typically fully compromise that user, performing any action within the application that the user can perform, viewing any information that the user is able to view, modifying any information that the user is able to modify, and initiating interactions with other application users. **Recommendations** For GeoServer versions prior to 2.23.3, update to version 2.23.3 or later to resolve the issue. For GeoServer versions prior to 2.24.0, update to version 2.24.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Style Publisher to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GeoServer versions prior to 2.21.4 GeoServer versions prior to 2.22.2 GeoServer versions prior to 2.20.7 GeoServer versions prior to 2.19.7 GeoServer versions prior to 2.18.7 **Description** The issue is related to SQL injection vulnerabilities in GeoServer, which allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. The vulnerabilities arise from insufficient sanitization of user input in the CQL FILTER parameter of WFS and WMS protocols. This can be exploited by sending specially crafted requests to the "GET /geoserver/ows" endpoint. Vulnerable functions include `strEndsWith`, `strStartsWith`, and `PropertyIsLike`. **Recommendations** To resolve the issue, upgrade to version 2.21.4 or version 2.22.2. For versions prior to 2.20.7, upgrade to version 2.20.7. For versions prior to 2.19.7, upgrade to version 2.19.7. For versions prior to 2.18.7, upgrade to version 2.18.7. As a temporary workaround, consider disabling the PostGIS Datastore *encode functions* setting to mitigate `strEndsWith`, `strStartsWith` and `PropertyIsLike` misuse. Enable the PostGIS DataStore *preparedStatements* setting to mitigate the `FeatureId` misuse.

**Name of the Vulnerable Software and Affected Versions** GeoTools versions prior to 27.4 GeoTools versions prior to 28.2 **Description** GeoTools is an open source Java library that provides tools for geospatial data. It includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. The issue affects various filter and function implementations, including `PropertyIsLike`, `strEndsWith`, `strStartsWith`, `FeatureId`, `jsonArrayContains`, and `DWithin`. **Recommendations** To resolve the issue, upgrade to either version 27.4 or 28.2. As a temporary workaround, consider disabling `encode functions` for PostGIS DataStores. Alternatively, enable `prepared statements` for JDBCDataStores as a partial mitigation. For PostGIS DataStore, set `preparedStatements` to `true` and `encode functions` to `false` in the data store parameters to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** JAI-EXT versions prior to 1.2.22 GeoServer (affected versions not specified) **Description** Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. This affects the downstream GeoServer project. **Recommendations** For JAI-EXT versions prior to 1.2.22, update to version 1.2.22 to patch the vulnerability. As a temporary workaround for users unable to upgrade, remove janino-x.y.z.jar from the classpath to negate the ability to compile Jiffle scripts from the final application.