Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-36401
CVE-2024-36401:
Java vulnerability analysis and mitigation
Overview
GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2 contain a critical remote code execution vulnerability (CVE-2024-36401) with a CVSS score of 9.8. The vulnerability allows unauthenticated users to execute arbitrary code through specially crafted input against a default GeoServer installation. The issue stems from the GeoTools library API that GeoServer uses to evaluate property/attribute names for feature types in an unsafe manner when processing XPath expressions (Fortinet, GitHub Advisory).
Technical details
The vulnerability exists in the way GeoTools library API evaluates property/attribute names for feature types by unsafely passing them to the commons-jxpath library, which can execute arbitrary code when evaluating XPath expressions. While this XPath evaluation was intended only for complex feature types (Application Schema data stores), it is incorrectly applied to simple feature types as well, making all GeoServer instances vulnerable. The vulnerability can be exploited through multiple OGC request parameters including WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests (GitHub Advisory).
Impact
The vulnerability enables remote attackers to gain control of vulnerable systems and execute arbitrary code with the privileges of the GeoServer application. Successful exploitation has been observed targeting IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil. Attackers have used this vulnerability to deploy various malware including cryptocurrency miners, botnet malware like Condi and JenX, and backdoors such as SideWalk (Fortinet, The Hacker News).
Mitigation and workarounds
The vulnerability has been patched in GeoServer versions 2.23.6, 2.24.4, and 2.25.2. A temporary workaround exists by removing the gt-complex-x.y.jar file from the GeoServer installation, though this may break some functionality. For prior releases, patched gt-app-schema, gt-complex and gt-xsd-core jars are available for download. The developer patched the vulnerability by implementing the function 'JXPathUtils.newSafeContext' instead of the original vulnerable one to evaluate XPath expression safety (GitHub Advisory, Fortinet).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management