PT-2024-4472 · Geoserver · Geoserver
Sikeoka
·
Published
2024-06-04
·
Updated
2025-08-22
·
CVE-2024-36401
10
Critical
Base vector | Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
GeoServer versions prior to 2.23.6
GeoServer versions prior to 2.24.4
GeoServer versions prior to 2.25.2
Description:
The vulnerability in GeoServer allows remote code execution by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. This vulnerability can be exploited through various requests, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute. The threat actor Earth Baxia is exploiting this vulnerability to launch advanced attacks on APAC countries, using spear-phishing and customized malware to infiltrate systems. Multiple malware families have been delivered exploiting this flaw, including GOREVERSE and SideWalk.
Recommendations:
For GeoServer versions prior to 2.23.6: Update to version 2.23.6 or later.
For GeoServer versions prior to 2.24.4: Update to version 2.24.4 or later.
For GeoServer versions prior to 2.25.2: Update to version 2.25.2 or later.
As a temporary workaround, consider removing the `gt-complex-x.y.jar` file from the GeoServer installation, where `x.y` is the GeoTools version. However, this may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Exploit
Fix
RCE
Eval Injection
Code Injection
Related Identifiers
Affected Products
References · 236
- 🔥 https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb⭐ 34266 🔗 14003 · Exploit
- 🔥 https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w⭐ 1826 🔗 1180 · Exploit
- 🔥 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852⭐ 75 🔗 16 · Exploit
- 🔥 https://github.com/Chocapikk/CVE-2024-36401⭐ 73 🔗 12 · Exploit
- 🔥 https://github.com/bigb0x/CVE-2024-36401⭐ 33 🔗 18 · Exploit
- 🔥 https://github.com/Mr-xn/CVE-2024-36401⭐ 43 🔗 4 · Exploit
- 🔥 https://github.com/netuseradministrator/CVE-2024-36401⭐ 15 · Exploit
- 🔥 https://github.com/ahisec/geoserver-⭐ 12 🔗 3 · Exploit
- 🔥 https://github.com/thestar0/CVE-2024-36401-WoodpeckerPlugin⭐ 11 🔗 1 · Exploit
- 🔥 https://github.com/daniellowrie/CVE-2024-36401-PoC⭐ 3 🔗 1 · Exploit
- 🔥 https://github.com/Niuwoo/CVE-2024-36401⭐ 3 · Exploit
- 🔥 https://github.com/XiaomingX/cve-2024-36401-poc⭐ 3 · Exploit
- 🔥 https://github.com/justin-p/geoexplorer⭐ 3 · Exploit
- 🔥❌ https://github.com/MInggongK/geoserver- · Exploit, Deleted
- 🔥 https://vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401 · Exploit