PT-2024-4472 · Geoserver · Geoserver
Sikeoka
·
Published
2024-06-04
·
Updated
2025-10-14
·
CVE-2024-36401
CVSS v3.1
10
10
Critical
Base vector | Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2
Description
GeoServer is an open-source server that allows users to share and edit geospatial data. Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended for complex feature types but is incorrectly applied to simple feature types, affecting all GeoServer instances. This vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. Attackers are actively exploiting this vulnerability, with reports of compromised systems and the deployment of malware such as NetCat, XMRig, SideWalk, and GOREVERSE. Threat actors, including Earth Baxia, are leveraging this vulnerability to target government and energy sectors, using spear-phishing and customized malware. The vulnerability has been used to hijack resources, monetize bandwidth, and build botnets. A U.S. federal agency was breached due to this vulnerability.
Recommendations
Update GeoServer to version 2.22.6, 2.23.6, 2.24.4, or 2.25.2. As a workaround, remove the
gt-complex-x.y.jar
file from the GeoServer installation, where x.y
is the GeoTools version (e.g., gt-complex-31.1.jar
if running GeoServer 2.25.1).Exploit
Fix
RCE
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com
Related Identifiers
BDU:2024-04974
CVE-2024-36401
GHSA-6JJ6-GM7P-FCVV
GHSA-W3PJ-WH35-FQ8W
Affected Products
Geoserver
References · 294
- 🔥 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb⭐ 34266 🔗 14003 · Exploit
- 🔥 https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w⭐ 1826 🔗 1180 · Exploit
- 🔥 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852⭐ 75 🔗 16 · Exploit
- 🔥 https://github.com/Chocapikk/CVE-2024-36401⭐ 73 🔗 12 · Exploit
- 🔥 https://github.com/bigb0x/CVE-2024-36401⭐ 33 🔗 18 · Exploit
- 🔥 https://github.com/Mr-xn/CVE-2024-36401⭐ 43 🔗 4 · Exploit
- 🔥 https://github.com/ahisec/geoserver-⭐ 12 🔗 3 · Exploit
- 🔥 https://github.com/netuseradministrator/CVE-2024-36401⭐ 15 · Exploit
- 🔥 https://github.com/thestar0/CVE-2024-36401-WoodpeckerPlugin⭐ 11 🔗 1 · Exploit
- 🔥 https://github.com/daniellowrie/CVE-2024-36401-PoC⭐ 3 🔗 1 · Exploit
- 🔥 https://github.com/Niuwoo/CVE-2024-36401⭐ 3 · Exploit
- 🔥 https://github.com/justin-p/geoexplorer⭐ 3 · Exploit
- 🔥 https://github.com/XiaomingX/cve-2024-36401-poc⭐ 3 · Exploit
- 🔥 https://vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 · Exploit
- 🔥❌ https://github.com/MInggongK/geoserver- · Exploit, Deleted