CVE-2022-41852

Name of the Vulnerable Software and Affected Versions Apache Commons JXPath (affected versions not specified) GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2 hermes-management versions prior to 2.2.9

Description The issue is related to the application of external input for class selection in the JXPathContext class functions of the JXPath library, except for the compile() and compilePath() functions. This can allow a remote attacker to execute arbitrary code by loading any Java class from the classpath using an XPath expression. The vulnerability can be exploited through various requests, including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.

Recommendations For Apache Commons JXPath, consider disabling the vulnerable JXPathContext class functions until a patch is available. For GeoServer, upgrade to versions 2.23.6, 2.24.4, or 2.25.2, or remove the gt-complex-x.y.jar file from the GeoServer installation as a temporary workaround. For hermes-management, upgrade to at least version 2.2.9.