PT-2024-4472 · Geoserver · Geoserver

Sikeoka

·

Published

2024-06-04

·

Updated

2025-08-22

·

CVE-2024-36401

CVSS v2.0
10
VectorAV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions:

GeoServer versions prior to 2.23.6

GeoServer versions prior to 2.24.4

GeoServer versions prior to 2.25.2

Description:

The vulnerability in GeoServer allows remote code execution by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. This vulnerability can be exploited through various requests, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute. The threat actor Earth Baxia is exploiting this vulnerability to launch advanced attacks on APAC countries, using spear-phishing and customized malware to infiltrate systems. Multiple malware families have been delivered exploiting this flaw, including GOREVERSE and SideWalk.

Recommendations:

For GeoServer versions prior to 2.23.6: Update to version 2.23.6 or later.

For GeoServer versions prior to 2.24.4: Update to version 2.24.4 or later.

For GeoServer versions prior to 2.25.2: Update to version 2.25.2 or later.

As a temporary workaround, consider removing the `gt-complex-x.y.jar` file from the GeoServer installation, where `x.y` is the GeoTools version. However, this may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Exploit

Fix

RCE

Eval Injection

Code Injection

Weakness Enumeration

Related Identifiers

BDU:2024-04974
CVE-2024-36401
GHSA-6JJ6-GM7P-FCVV
GHSA-W3PJ-WH35-FQ8W

Affected Products

Geoserver