CVE-2022-24818

Name of the Vulnerable Software and Affected Versions GeoTools versions prior to 24.6 GeoTools versions prior to 25.6 GeoTools versions prior to 26.4

Description The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. This issue can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in newer versions of GeoTools.

Recommendations For versions prior to 24.6, upgrade to GeoTools 24.6 or later. For versions prior to 25.6, upgrade to GeoTools 25.6 or later. For versions prior to 26.4, upgrade to GeoTools 26.4 or later. As a temporary workaround, ensure that any downstream application does not allow usage of remotely provided JNDI strings. Restrict access to JNDI lookups to minimize the risk of exploitation. Avoid using user-provided JNDI names in the affected data sources until the issue is resolved.