On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
GeoServer, an open-source Java-based software server, allows users to share and edit geospatial data and serves as the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.
The vulnerability, identified as CVE-2024-36401 with a CVSS score of 9.8, enables remote code execution through specially crafted input.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” according to an advisory released by the project maintainers.
This issue has been fixed in versions 2.23.6, 2.24.4, and 2.25.2. Security researcher Steve Ikeoka reported the flaw.
It is not yet clear how the vulnerability is being exploited in the wild. GeoServer noted that the issue is exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.
Another critical flaw (CVE-2024-36404, CVSS score: 9.8) that could also result in RCE has been patched. This flaw occurs if an application uses certain GeoTools functionality to evaluate XPath expressions from user input and has been resolved in versions 29.6, 30.4, and 31.2.
Due to the active exploitation of CVE-2024-36401, federal agencies are required to apply the vendor-provided fixes by August 5, 2024.
Additionally, reports have emerged about the active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510). This vulnerability can be used to escape the -dSAFER sandbox and run arbitrary code. Addressed in version 10.03.1 following responsible disclosure by Codean Labs on March 14, 2024, the flaw has been weaponized to obtain shell access to vulnerable systems, according to ReadMe developer Bill Mill.
 added a critical security flaw affecting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.){kind=link}