CVE-2022-24847: 
Java vulnerability analysis and mitigation

GeoServer, an open source software server written in Java for sharing and editing geospatial data, was found to contain a security vulnerability identified as CVE-2022-24847. The vulnerability was disclosed on April 13, 2022, and involves an unchecked JNDI lookup in the GeoServer security mechanism that could lead to class deserialization issues (NVD Results, GitHub Advisory).

The vulnerability received a CVSS v3.1 score of 7.2 (High), with attack vector being Network-based, low attack complexity, and requiring high privileges. The vulnerability stems from an unchecked JNDI lookup in the security mechanism, which can be exploited through the GeoServer GUI or its REST API. The issue also affects data store configurations with JNDI-located data sources and the disk quota mechanism setup (GitHub Advisory).

If successfully exploited, this vulnerability could result in arbitrary code execution on the affected system. The impact assessment indicates high severity ratings for confidentiality, integrity, and availability, potentially allowing attackers with admin access to execute malicious code through class deserialization (GitHub Advisory).

The vulnerability was patched in GeoServer versions 2.21.0, 2.20.4, and 2.19.6. For users unable to upgrade, recommended workarounds include restricting access to 'geoserver/web' and 'geoserver/rest' via a firewall and ensuring that the GeoWebCache is not remotely accessible. Additional protection can be achieved by making the GUI, REST configuration, and embedded GeoWebCache configuration unreachable from remote hosts, along with protecting access to the file system where the GeoServer configuration is stored (GitHub Advisory).