CVE-2024-36401

unknown KEV

Published 2024-07-01 · Modified 2024-07-15

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

CVSS v2

—

VIR risk

1.5

Description

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.

CISA KEV

Vendor: OSGeo
Product: GeoServer
Due date: 2024-08-05

Predictions

Exploit likelihood

99%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cisa-kev — This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401

Exploits

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.geoserver.web:gs-web-app	`>=2.24.0,<2.24.4`	`2.24.4`
Maven	org.geoserver:gs-wfs	`>=2.24.0,<2.24.4`	`2.24.4`
Maven	org.geoserver:gs-wms	`>=2.24.0,<2.24.4`	`2.24.4`
Maven	org.geoserver.web:gs-web-app	`>=2.25.0,<2.25.2`	`2.25.2`
Maven	org.geoserver:gs-wfs	`>=2.25.0,<2.25.2`	`2.25.2`
Maven	org.geoserver:gs-wms	`>=2.25.0,<2.25.2`	`2.25.2`
Maven	org.geoserver.web:gs-web-app	`>=2.23.0,<2.23.6`	`2.23.6`
Maven	org.geoserver:gs-wfs	`>=2.23.0,<2.23.6`	`2.23.6`
Maven	org.geoserver:gs-wms	`>=2.23.0,<2.23.6`	`2.23.6`
Maven	org.geoserver.web:gs-web-app	`<2.22.6`	`2.22.6`
Maven	org.geoserver:gs-wfs	`<2.22.6`	`2.22.6`
Maven	org.geoserver:gs-wms	`<2.22.6`	`2.22.6`

References

Verify integrity in audit chain (admin only). AS-IS.