CVE-2024-36404
published 2024-07-02CVE-2024-36404: GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
74.91%
99.4th percentile
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geotools | geotools | < 29.6 | 29.6 |
| geotools | geotools | — | — |
| geotools | geotools | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Probe for GeoServer WFS capability endpoint; a valid response contains 'wfs:WFS_Capabilities' in the body with content-type application/xml and HTTP 200. ↗
- →Exploitation attempt via POST to WFS endpoint with XPath RCE payload; a vulnerable server returns HTTP 400 with 'java.lang.ClassCastException' in the body and content-type application/xml, while also triggering an out-of-band DNS interaction. ↗
- →Identify exposed GeoServer instances via Shodan using title 'geoserver' or favicon hash 97540678 or HTML path '/geoserver/'. ↗
- →Identify exposed GeoServer instances via FOFA using title, app name, icon hash, or body path '/geoserver/'. ↗
- →The exploit POST body uses a WFS GetPropertyValue request with an XPath expression containing exec(java.lang.Runtime.getRuntime(),...) to achieve RCE; monitor POST requests to WFS/OWS endpoints containing 'exec(' and 'java.lang.Runtime' in the XML body. ↗
- →RCE is triggered through user-supplied XPath expressions evaluated by the gt-complex component; presence of the gt-complex jar in a GeoTools deployment is a risk indicator. ↗
- ·Workaround removes gt-complex functionality; application schema datastore will not work without XPath support for complex content. ↗
- ·Drop-in replacement jars from SourceForge are available for older versions but are NOT published to Maven Central; they must be manually downloaded and deployed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
ghsa·2025-02-05
CVE-2024-36404 [CRITICAL] CWE-95 GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
### Summary
Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.
### Details
The following methods pass XPath expressions to the `commons-jxpath` library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.
* `org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)`
* `org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)`
* `org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)`
* `org.geotools.data.complex.expression.Fea
OSV
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
osv·2025-02-05
CVE-2024-36404 [CRITICAL] GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
### Summary
Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.
### Details
The following methods pass XPath expressions to the `commons-jxpath` library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.
* `org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)`
* `org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)`
* `org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)`
* `org.geotools.data.complex.expression.Fea
No detection rules found.
Nuclei
GeoServer and GeoTools - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-36404 [CRITICAL] GeoServer and GeoTools - Remote Code Execution
GeoServer and GeoTools - Remote Code Execution
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 2
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5eahttps://github.com/geotools/geotools/pull/4797https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8whttps://osgeo-org.atlassian.net/browse/GEOT-7587https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5eahttps://github.com/geotools/geotools/pull/4797https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8whttps://osgeo-org.atlassian.net/browse/GEOT-7587https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/downloadhttps://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1
2024-07-02
Published