The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added critical security flaw affecting OSGeo GeoServer GeoTools to its known vulnerabilities (KEV) catalog based on evidence of active operation.
GeoServer is it open source software a server written in Java that allows users to share and edit geospatial data. It is a reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.
Vulnerability, tracked as CVE-2024-36401 (CVSS score: 9.8), deals with the case of remote code execution that can be run using specially crafted input.
“Several OGC query parameters allow unauthenticated users to perform Remote Code Execution (RCE) via specially crafted input against the standard GeoServer installation due to unsafe evaluation of property names as XPath expressions,” according to advisory released by the project developers earlier this month.
The flaw was fixed in versions 2.23.6, 2.24.4 and 2.25.2. Security researcher Steve Ikeoka reported the flaw.
It is currently unclear how this vulnerability is exploited in the wild. GeoServer noted that “the issue has been confirmed to be exploitable via WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute queries.”
The maintainers also fixed another critical flaw (CVE-2024-36404, CVSS score: 9.8), which can also lead to an RCE “when an application uses certain GeoTools features to evaluate user-supplied XPath expressions.” This was resolved in versions 29.6, 30.4 and 31.2.
Due to the active exploit of CVE-2024-36401, federal agencies have until August 5, 2024 to apply the fixes provided by the vendors.
This happened after reports of active use of a remote code execution vulnerability in Ghostscript document conversion tool (CVE-2024-29510), which can be used for avoid sandbox -dSAFER and run arbitrary code.
According to the developer’s ReadMe, this vulnerability, patched in version 10.03.1 after Codean Labs’ responsible disclosure on March 14, 2024, was used to gain access to vulnerable systems. Bill Mill.
