CVE-2022-24847
published 2022-04-13CVE-2022-24847: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform…
PriorityP276high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.47%
70.4th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.19.6 | 2.19.6 |
| geoserver | geoserver | — | — |
| osgeo | geoserver | < 2.19.6 | 2.19.6 |
| osgeo | geoserver | >= 2.20.0 < 2.20.4 | 2.20.4 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Input Validation in GeoServer
ghsa·2022-04-22
CVE-2022-24847 [HIGH] CWE-20 Improper Input Validation in GeoServer
Improper Input Validation in GeoServer
### Impact
The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism.
In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.
### Patches
The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 2.19.6.
### Workarounds
Protection can be achieved by making the GUI (``geoserver/web``), the REST configuration (``geoserver/rest``) and the embedded GeoWebCache configuration (``geoserver/gwc/rest``) unreachable from rem
OSV
Improper Input Validation in GeoServer
osv·2022-04-22
CVE-2022-24847 [HIGH] Improper Input Validation in GeoServer
Improper Input Validation in GeoServer
### Impact
The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism.
In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.
### Patches
The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 2.19.6.
### Workarounds
Protection can be achieved by making the GUI (``geoserver/web``), the REST configuration (``geoserver/rest``) and the embedded GeoWebCache configuration (``geoserver/gwc/rest``) unreachable from rem
VulnCheck
OSGeo GeoServer Improper Input Validation
vulncheck·2022·CVSS 7.2
CVE-2022-24847 [HIGH] OSGeo GeoServer Improper Input Validation
OSGeo GeoServer Improper Input Validation
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that t
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-04-13
Published
Exploited in the wild