CVE-2024-36401

Name of the Vulnerable Software and Affected Versions GeoServer versions prior to 2.22.6 GeoServer versions prior to 2.23.6 GeoServer versions prior to 2.24.4 GeoServer versions prior to 2.25.2

Description GeoServer is an open-source server used for sharing and editing geospatial data. An issue exists where the GeoTools library API unsafely evaluates property or attribute names for feature types, passing them to the commons-jxpath library. This allows unauthenticated remote attackers to execute arbitrary code by sending specially crafted OGC requests, as property names are incorrectly evaluated as XPath expressions (a language used for navigating through elements and attributes in an XML document) for both simple and complex feature types. This affects all GeoServer instances in a default installation.

Exploitation has been confirmed via the following endpoints:

Real-world incidents include breaches of a U.S. federal agency, where the flaw was used for initial access and lateral movement. Additionally, campaigns by botnets such as Mirai and PolarEdge have exploited this to deploy coin miners (specifically for Monero), web shells, and other malware across Windows and Linux platforms. It is estimated that over 16,000 internet-exposed instances were at risk.

Recommendations Update GeoServer to version 2.22.6. Update GeoServer to version 2.23.6. Update GeoServer to version 2.24.4. Update GeoServer to version 2.25.2. As a temporary workaround, remove the gt-complex-x.y.jar file (where x.y represents the GeoTools version, e.g., gt-complex-31.1.jar) from the GeoServer installation to remove the vulnerable code, though this may disrupt some functionality or prevent deployment if the gt-complex module is required.