CVE-2022-24846

Name of the Vulnerable Software and Affected Versions GeoWebCache versions prior to 1.21.0 GeoWebCache versions prior to 1.20.2 GeoWebCache versions prior to 1.19.3

Description The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which can be used to perform class deserialization and result in arbitrary code execution. The JNDI strings are provided via a local configuration file in GeoWebCache, while in GeoServer, a user interface is provided to perform the same, accessible remotely with admin-level login. These lookups are unrestricted in scope and can lead to code execution.

Recommendations For versions prior to 1.21.0, update to version 1.21.0 to restrict the JNDI lookups. For versions prior to 1.20.2, update to version 1.20.2 to restrict the JNDI lookups. For versions prior to 1.19.3, update to version 1.19.3 to restrict the JNDI lookups. As a temporary workaround, consider restricting access to the admin-level login to minimize the risk of exploitation.