CVE-2024-36404

Name of the Vulnerable Software and Affected Versions GeoTools versions prior to 31.2 GeoTools versions prior to 30.4 GeoTools versions prior to 29.6

Description GeoTools is an open source Java library that provides tools for geospatial data. Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. As an example of the impact, application schema datastore would not function without the ability to use XPath expressions to query complex content.

Recommendations For versions prior to 31.2, consider updating to version 31.2 or later. For versions prior to 30.4, consider updating to version 30.4 or later. For versions prior to 29.6, consider updating to version 29.6 or later. As a temporary workaround, consider removing the gt-complex jar from the application to operate with reduced functionality. Alternatively, for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0, utilize a drop-in replacement GeoTools jar from SourceForge.