CVE-2022-24847

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.21.0 GeoServer versions prior to 2.20.4 GeoServer versions prior to 1.19.6

Description The GeoServer security mechanism can perform an unchecked JNDI lookup, which can be used to perform class deserialization and result in arbitrary code execution. This can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. To exploit this, an attack needs to have obtained admin rights and use either the GeoServer GUI or its REST API.

Recommendations For versions prior to 2.21.0, restrict access to the geoserver/web and geoserver/rest via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 2.20.4, restrict access to the geoserver/web and geoserver/rest via a firewall and ensure that the GeoWebCache is not remotely accessible. For versions prior to 1.19.6, restrict access to the geoserver/web and geoserver/rest via a firewall and ensure that the GeoWebCache is not remotely accessible.