PT-2024-4472 · Geoserver · Geoserver
Sikeoka
·
Published
2024-06-04
·
Updated
2025-11-28
·
CVE-2024-36401
CVSS v2.0
10
10
Critical
| Base vector | Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
GeoServer versions prior to 2.22.6
GeoServer versions prior to 2.23.6
GeoServer versions prior to 2.24.4
GeoServer versions prior to 2.25.2
GeoTools versions prior to 29.6
GeoTools versions prior to 30.4
GeoTools versions prior to 31.2
Description
GeoServer is an open-source server used for sharing and editing geospatial data. A vulnerability exists due to unsafe evaluation of property names as XPath expressions, allowing unauthenticated users to execute arbitrary code through specially crafted input against a default GeoServer installation. The GeoTools library API used by GeoServer evaluates property/attribute names in a way that passes them unsafely to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. This vulnerability affects all GeoServer instances. Multiple request types, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute, can be used to exploit this issue. Recent campaigns have leveraged this vulnerability to deploy malware, including NetCat, XMRig, SideWalk, and GOREVERSE, and to monetize victims' bandwidth. The Earth Baxia APT group has been observed exploiting this vulnerability to target government and energy sectors in the APAC region. A U.S. federal agency was also compromised through this vulnerability.
Recommendations
For GeoServer versions prior to 2.22.6, update to version 2.22.6 or later.
For GeoServer versions prior to 2.23.6, update to version 2.23.6 or later.
For GeoServer versions prior to 2.24.4, update to version 2.24.4 or later.
For GeoServer versions prior to 2.25.2, update to version 2.25.2 or later.
For GeoTools versions prior to 29.6, update to version 29.6 or later.
For GeoTools versions prior to 30.4, update to version 30.4 or later.
For GeoTools versions prior to 31.2, update to version 31.2 or later.
As a workaround, remove the
gt-complex-x.y.jarx.yExploit
Fix
RCE
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com
Related Identifiers
BDU:2024-04974
CVE-2024-36401
GHSA-6JJ6-GM7P-FCVV
GHSA-W3PJ-WH35-FQ8W
Affected Products
Geoserver
References · 297
- 🔥 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb⭐ 34266 🔗 14003 · Exploit
- 🔥 https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w⭐ 1826 🔗 1180 · Exploit
- 🔥 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852⭐ 75 🔗 16 · Exploit
- 🔥 https://github.com/Chocapikk/CVE-2024-36401⭐ 73 🔗 12 · Exploit
- 🔥 https://github.com/bigb0x/CVE-2024-36401⭐ 33 🔗 18 · Exploit
- 🔥 https://github.com/Mr-xn/CVE-2024-36401⭐ 43 🔗 4 · Exploit
- 🔥 https://github.com/ahisec/geoserver-⭐ 12 🔗 3 · Exploit
- 🔥 https://github.com/netuseradministrator/CVE-2024-36401⭐ 15 · Exploit
- 🔥 https://github.com/thestar0/CVE-2024-36401-WoodpeckerPlugin⭐ 11 🔗 1 · Exploit
- 🔥 https://github.com/daniellowrie/CVE-2024-36401-PoC⭐ 3 🔗 1 · Exploit
- 🔥 https://github.com/Niuwoo/CVE-2024-36401⭐ 3 · Exploit
- 🔥 https://github.com/XiaomingX/cve-2024-36401-poc⭐ 3 · Exploit
- 🔥 https://github.com/justin-p/geoexplorer⭐ 3 · Exploit
- 🔥 https://vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 · Exploit
- 🔥❌ https://github.com/MInggongK/geoserver- · Exploit, Deleted