CVE-2022-24847

CVSS v2.0

9.0

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.21.0 GeoServer versions prior to 2.20.4 GeoServer versions prior to 1.19.6

Description The GeoServer security mechanism can perform an unchecked JNDI lookup, which can be used to perform class deserialization and result in arbitrary code execution. This can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. To exploit this, an attack needs to have obtained admin rights and use either the GeoServer GUI or its REST API.

Recommendations For versions prior to 2.21.0, restrict access to the

geoserver/web

and

geoserver/rest

via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 2.20.4, restrict access to the

geoserver/web

and

geoserver/rest

via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 1.19.6, restrict access to the

geoserver/web

and

geoserver/rest

via a firewall and ensure that the GeoWebCache is not remotely accessible.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-917

Related Identifiers

BDU:2025-04925

CVE-2022-24847

GHSA-4PM3-F52J-8GGH

Affected Products

Geoserver

CVE-2022-24847

Weakness Enumeration

Related Identifiers

Affected Products

References · 11