Known Exploited Vulnerability
9.8
CRITICAL
CVE-2024-36401
OSGeo GeoServer GeoTools Eval Injection Vulnerabil - [Actively Exploited]
Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

INFO

Published Date :

July 1, 2024, 4:15 p.m.

Last Modified :

July 16, 2024, 1 a.m.

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.

Required Action :

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes :

This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797

Public PoC/Exploit Available at Github

CVE-2024-36401 has a 38 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2024-36401 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Geoserver geoserver
1 Geotools geotools
1 Osgeo geoserver
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-36401.

URL Resource
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit Third Party Advisory
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation Vendor Advisory
https://github.com/geotools/geotools/pull/4797 Issue Tracking Patch
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit Vendor Advisory
https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

geoserver图形化漏洞利用工具

Go

Updated: 4 days, 23 hours ago
2 stars 0 fork 0 watcher
Born at : Oct. 5, 2024, 10:08 a.m. This repo has been linked 1 different CVEs too.

This repo contains the codes of the penetration test benchmark for Generative Agents presented in the paper "AutoPenBench: Benchmarking Generative Agents for Penetration Testing". It contains also the instructions to install, develop and test new vulnerable containers to include in the benchmark.

benchmark generative-agents generative-ai penetration-testing

Python Shell Dockerfile C PHP Hack CSS HTML Ruby Groovy

Updated: 19 hours, 28 minutes ago
3 stars 0 fork 0 watcher
Born at : Sept. 30, 2024, 3:13 p.m. This repo has been linked 11 different CVEs too.

GeoServer CVE-2024-36401: Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions

Updated: 1 week, 3 days ago
2 stars 0 fork 0 watcher
Born at : Sept. 28, 2024, 2:55 p.m. This repo has been linked 1 different CVEs too.

这是一个每天同步Vulnerability-Wiki中docs-base中内容的项目

HTML

Updated: 2 weeks, 6 days ago
0 stars 0 fork 0 watcher
Born at : Sept. 20, 2024, 3:27 a.m. This repo has been linked 203 different CVEs too.

Proof-of-Concept Exploit for CVE-2024-36401 GeoServer 2.25.1

Python

Updated: 3 weeks, 5 days ago
1 stars 0 fork 0 watcher
Born at : Sept. 13, 2024, 10:28 a.m. This repo has been linked 1 different CVEs too.

None

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Sept. 9, 2024, 1:28 a.m. This repo has been linked 128 different CVEs too.

Nuclei Template to search for an Exposed GeoServer Web Panel

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Sept. 5, 2024, 8:09 a.m. This repo has been linked 1 different CVEs too.

None

HTML

Updated: 1 month ago
0 stars 0 fork 0 watcher
Born at : Sept. 4, 2024, 9:24 a.m. This repo has been linked 128 different CVEs too.

Mass scanner for CVE-2024-36401

Python Dockerfile

Updated: 1 month, 1 week ago
1 stars 0 fork 0 watcher
Born at : Aug. 27, 2024, 3:28 p.m. This repo has been linked 1 different CVEs too.

None

HTML

Updated: 1 month, 3 weeks ago
5 stars 0 fork 0 watcher
Born at : Aug. 2, 2024, 6:07 a.m. This repo has been linked 123 different CVEs too.

None

Python

Updated: 2 months, 1 week ago
0 stars 0 fork 0 watcher
Born at : Aug. 1, 2024, 9:22 p.m. This repo has been linked 1 different CVEs too.

GeoServer Remote Code Execution

Python

Updated: 1 month ago
66 stars 11 fork 11 watcher
Born at : July 30, 2024, 6:43 p.m. This repo has been linked 1 different CVEs too.

角宿武器库官方发布页面

Updated: 1 month ago
99 stars 8 fork 8 watcher
Born at : July 22, 2024, 3:23 a.m. This repo has been linked 2 different CVEs too.

geoserver CVE-2024-36401漏洞利用工具

Java

Updated: 1 month, 1 week ago
4 stars 2 fork 2 watcher
Born at : July 17, 2024, 2:25 a.m. This repo has been linked 1 different CVEs too.

geoserver CVE-2024-36401 漏洞利用工具

Java

Updated: 2 months, 2 weeks ago
21 stars 2 fork 2 watcher
Born at : July 16, 2024, 5:29 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-36401 vulnerability anywhere in the article.

  • The Cyber Express
Progress Telerik, Cisco, QNAP and Linux Under Attack: Cyble Honeypot Sensors

Cyble’s Vulnerability Intelligence unit has detected cyberattacks on several key IT products and systems, as threat actors have been quick to exploit vulnerabilities and enterprises slow to patch them ... Read more

Published Date: Oct 08, 2024 (1 day, 14 hours ago)
  • europa.eu
Cyber Brief 24-10 - September 2024

Cyber Brief (September 2024)October 1, 2024 - Version: 1.0TLP:CLEARExecutive summaryWe analysed 269 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, in Europe, l ... Read more

Published Date: Oct 01, 2024 (1 week, 1 day ago)
  • Cybersecurity News
Critical XSS Flaw Discovered in Filament: CVE-2024-47186 Requires Urgent Update for Laravel Developers

The Filament project, a popular collection of full-stack components for accelerated Laravel development, has issued a critical security advisory for CVE-2024-47186. This Cross-Site Scripting (XSS) vul ... Read more

Published Date: Sep 30, 2024 (1 week, 3 days ago)
  • Cybersecurity News
Critical CUPS Vulnerabilities Expose Linux and Other Systems to Remote Attacks

In a significant development for cybersecurity, multiple critical vulnerabilities have been discovered in CUPS (Common Unix Printing System), a widely used print server on Linux systems and other plat ... Read more

Published Date: Sep 26, 2024 (1 week, 6 days ago)
  • Cybersecurity News
CVE-2024-9014 (CVSS 9.9): pgAdmin’s Critical Vulnerability Puts User Data at Risk

pgAdmin, the leading open-source management tool for PostgreSQL databases, has released an urgent security update to address a critical vulnerability affecting versions 8.11 and earlier. This flaw, id ... Read more

Published Date: Sep 25, 2024 (2 weeks, 1 day ago)
  • Cybersecurity News
CISA Warns of Actively Exploited Ivanti vTM Flaw CVE-2024-7593 (CVSS 9.8), PoC Published

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding an actively exploited security vulnerability impacting Ivanti Virtual Traffic Manager (vTM), a ... Read more

Published Date: Sep 24, 2024 (2 weeks, 1 day ago)
  • Cybersecurity News
CVE-2024-9043 (CVSS 9.8): Cellopoint Secure Email Gateway Flaw Puts Sensitive Data at Risk

A recently disclosed vulnerability (CVE-2024-9043) in Cellopoint’s Secure Email Gateway (SEG) could expose enterprise email systems to critical security risks, making it an urgent matter for administr ... Read more

Published Date: Sep 24, 2024 (2 weeks, 2 days ago)
  • The Hacker News
Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

Cyber Espionage / Malware A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) regi ... Read more

Published Date: Sep 23, 2024 (2 weeks, 3 days ago)
  • Dark Reading
China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

Source: kb-photodesign via ShutterstockA China-linked cyber-espionage group has attacked Taiwanese government agencies, the Philippine and Japanese military, and energy companies in Vietnam, installin ... Read more

Published Date: Sep 23, 2024 (2 weeks, 3 days ago)
  • Cybersecurity News
Sophisticated Cyber Espionage: Earth Baxia Uses CVE-2024-36401 and Cobalt Strike to Infiltrate APAC

Overview of the attack chain | Image: Trend MicroIn a recent report from Trend Micro, the cyber espionage group Earth Baxia has been identified targeting government organizations in Taiwan and potenti ... Read more

Published Date: Sep 19, 2024 (3 weeks ago)
  • Trend Micro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

APT & Targeted Attacks We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting t ... Read more

Published Date: Sep 19, 2024 (3 weeks ago)
  • Cybersecurity News
Faraday: Open Source Vulnerability Management Platform

In today’s complex cybersecurity landscape, security teams face the dual challenge of uncovering new vulnerabilities and efficiently managing remediation efforts. Faraday emerges as a powerful solutio ... Read more

Published Date: Sep 17, 2024 (3 weeks, 2 days ago)
  • Cybersecurity News
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 to Launch Malware Campaigns

Cybersecurity researchers at FortiGuard Labs have observed multiple campaigns targeting a critical vulnerability in GeoServer, an open-source geospatial data server. Identified as CVE-2024-36401, this ... Read more

Published Date: Sep 07, 2024 (1 month ago)
  • Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News
Critical GeoServer Vulnerability Exploited in Global Malware Campaign

A critical GeoServer vulnerability (CVE-2024-36401) is being actively exploited, allowing attackers to take control of systems for malware deployment, cryptojacking, and botnet attacks. Update GeoServ ... Read more

Published Date: Sep 06, 2024 (1 month ago)
  • The Hacker News
GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

Cryptocurrency / APT Attack A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Con ... Read more

Published Date: Sep 06, 2024 (1 month ago)
  • Cybersecurity News
Windows TCP/IP Vulnerability CVE-2024-38063: Researchers Hold Back Exploit Details Due to High Risk

In a recent August Patch Tuesday, Microsoft urgently addressed a critical security vulnerability within the Windows TCP/IP stack, identified as CVE-2024-38063. With a CVSS score of 9.8, this flaw has ... Read more

Published Date: Aug 15, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
Adobe Issues Critical Security Updates for Commerce and Magento Platforms

Adobe has released a critical security update for its widely-used e-commerce platforms, Adobe Commerce and Magento Open Source. The update addresses a range of vulnerabilities, some of which could all ... Read more

Published Date: Aug 15, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
CISA Warns Critical Vulnerabilities in Vonets WiFi Bridge Devices, No Patch Available

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory detailing multiple critical vulnerabilities discovered in Vonets WiFi Bridge devices. These vulnerabilities, ... Read more

Published Date: Aug 15, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
CVE-2024-39091: Critical Vulnerability in MIPC Camera Framework Puts Millions at Risk

Please enable JavaScriptA high-severity vulnerability (CVE-2024-39091, CVSS 8.8) has been discovered in the MIPC camera framework, a widely-used software platform for home security cameras. This vulne ... Read more

Published Date: Aug 14, 2024 (1 month, 3 weeks ago)
  • Cybersecurity News
QuickShell Security Flaw Exposes Google Quick Share Users to Remote Attacks

Image Credit: SafeBreach LabsGoogle’s Quick Share, a popular tool for file sharing across Android, Windows, and Chrome OS devices, has recently come under scrutiny following the discovery of serious s ... Read more

Published Date: Aug 12, 2024 (1 month, 4 weeks ago)
  • Cyber Security News
Hackers Actively Exploiting GeoServer RCE Flaw, 6635 Servers Vulnerable

A critical vulnerability in GeoServer, an open-source Java-based software server, has put thousands of servers at risk. The flaw, CVE-2024-36401, allows unauthenticated users to execute remote code, p ... Read more

Published Date: Jul 31, 2024 (2 months, 1 week ago)
  • Cyber Security News
6600+ Vulnerable GeoServer instances Exposed to the Internet

Security analysts have identified 6,635 GeoServer instances exposed to the Internet, which makes them vulnerable to critical remote code execution (RCE) attacks. A recent tweet from the Shadowserver F ... Read more

Published Date: Jul 25, 2024 (2 months, 2 weeks ago)

The following table lists the changes that have been made to the CVE-2024-36401 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Jul. 16, 2024

    Action Type Old Value New Value
    Added Vulnerability Name OSGeo GeoServer GeoTools Eval Injection Vulnerability
    Added Due Date 2024-08-05
    Added Date Added 2024-07-15
    Added Required Action Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
  • Initial Analysis by [email protected]

    Jul. 03, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv No Types Assigned https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv Mitigation, Vendor Advisory
    Changed Reference Type https://github.com/geotools/geotools/pull/4797 No Types Assigned https://github.com/geotools/geotools/pull/4797 Issue Tracking, Patch
    Changed Reference Type https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w No Types Assigned https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Exploit, Vendor Advisory
    Changed Reference Type https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 No Types Assigned https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 Exploit, Third Party Advisory
    Changed Reference Type https://osgeo-org.atlassian.net/browse/GEOT-7587 No Types Assigned https://osgeo-org.atlassian.net/browse/GEOT-7587 Vendor Advisory
    Added CWE NIST CWE-94
    Added CPE Configuration OR *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions up to (excluding) 2.23.6 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.24.0 up to (excluding) 2.24.4 *cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:* versions from (including) 2.25.0 up to (excluding) 2.25.2 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions up to (excluding) 29.6 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 30.0 up to (excluding) 30.4 *cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:* versions from (including) 31.0 up to (excluding) 31.2
  • CVE Received by [email protected]

    Jul. 01, 2024

    Action Type Old Value New Value
    Added Description GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
    Added Reference GitHub, Inc. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv [No types assigned]
    Added Reference GitHub, Inc. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w [No types assigned]
    Added Reference GitHub, Inc. https://github.com/geotools/geotools/pull/4797 [No types assigned]
    Added Reference GitHub, Inc. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 [No types assigned]
    Added Reference GitHub, Inc. https://osgeo-org.atlassian.net/browse/GEOT-7587 [No types assigned]
    Added CWE GitHub, Inc. CWE-95
    Added CVSS V3.1 GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-36401 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability