CVE-2024-36404: 
Java vulnerability analysis and mitigation

GeoTools, an open source Java library for geospatial data manipulation, was found to contain a Remote Code Execution (RCE) vulnerability tracked as CVE-2024-36404. The vulnerability affects versions prior to 31.2, 30.4, and 29.6, where Remote Code Execution could occur if an application uses certain GeoTools functionality to evaluate XPath expressions supplied through user input (GitHub Advisory).

The vulnerability stems from methods that pass XPath expressions to the commons-jxpath library, which can execute arbitrary code when processing user-supplied input. The affected components include org.geotools.xsd:gt-xsd-core, org.geotools:gt-app-schema, and org.geotools:gt-complex packages. The vulnerability has been assigned a CVSS score of 9.8, indicating critical severity (GitHub Advisory, CERT-EU).

If exploited, this vulnerability could allow attackers to execute arbitrary code on the application server through specially crafted XPath expressions. This could potentially lead to complete system compromise, as the vulnerability requires no authentication and can be triggered through user input (GitHub Advisory).

The vulnerability has been patched in GeoTools versions 31.2, 30.4, and 29.6. As a workaround, users can remove the gt-complex jar from their application, though this will impact functionality such as application schema datastore. Drop-in replacement jars are available on the SourceForge download page for various versions (GitHub Advisory, CERT-EU).