CVE-2024-36404
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.geotools:gt-app-schema | >=30.0,<30.4 | 30.4 |
| Maven | org.geotools:gt-complex | >=30.0,<30.4 | 30.4 |
| Maven | org.geotools.xsd:gt-xsd-core | >=30.0,<30.4 | 30.4 |
| Maven | org.geotools:gt-app-schema | >=31.0,<31.2 | 31.2 |
| Maven | org.geotools:gt-complex | >=31.0,<31.2 | 31.2 |
| Maven | org.geotools.xsd:gt-xsd-core | >=31.0,<31.2 | 31.2 |
| Maven | org.geotools:gt-app-schema | >=29.0,<29.6 | 29.6 |
| Maven | org.geotools:gt-complex | >=29.0,<29.6 | 29.6 |
| Maven | org.geotools.xsd:gt-xsd-core | >=29.0,<29.6 | 29.6 |
| Maven | org.geotools:gt-app-schema | <28.6 | 28.6 |
| Maven | org.geotools:gt-complex | <28.6 | 28.6 |
| Maven | org.geotools.xsd:gt-xsd-core | <28.6 | 28.6 |
References
- https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
- https://nvd.nist.gov/vuln/detail/CVE-2024-36404
- https://github.com/geotools/geotools/pull/4797
- https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea
- https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1
- https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4
- https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download
- https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download
- https://osgeo-org.atlassian.net/browse/GEOT-7587
- https://github.com/geotools/geotools
- https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.