9.8
CVSSv3

CVE-2024-36401

Published: 01/07/2024 Updated: 29/11/2024

Vulnerability Summary

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

geoserver geoserver

geotools geotools

Vendor Advisories

Check Point Reference: CPAI-2024-0559 Date Published: 10 Jul 2024 Severity: Critical ...

Exploits

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets In the GeoServer ...
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, ...

Metasploit Modules

Geoserver unauthenticated Remote Code Execution

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.

msf > use exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
msf exploit(geoserver_unauth_rce_cve_2024_36401) > show targets
    ...targets...
msf exploit(geoserver_unauth_rce_cve_2024_36401) > set TARGET < target-id >
msf exploit(geoserver_unauth_rce_cve_2024_36401) > show options
    ...show and set options...
msf exploit(geoserver_unauth_rce_cve_2024_36401) > exploit

Github Repositories

CVE-2024-36401-PoC This repository contains a Proof of Concept (PoC) script for CVE-2024-36401, a vulnerability that can be exploited to gain remote code execution on the target server Features Assign a reverse shell listener using Perl Encode commands using Base64 Make requests to the target server to exploit the vulnerability Handle interruptions gracefully with signal h

✪ Collection of Metasploit Modules ✪

✪ My Contributions to Metasploit Framework (MSF) This repository contains Metasploit modules I have developed, rewritten, or contributed to Most of these modules are already part of the Metasploit Framework (MSF) I may also include files here that are pending integration into the official MSF repository ✪ Modules I've Fully Written avideo_wwbnindex_unauth_rcerb ma

CVE-2024-36401是GeoServer中的一个高危远程代码执行漏洞。GeoServer是一款开源的地理数据服务器软件,主要用于发布、共享和处理各种地理空间数据。 ALIYUN 漏洞原理: 该漏洞源于GeoServer在处理属性名称时,将其不安全地解析为XPath表达式。具体而言,GeoServer调用的GeoTools库API在评估要素类型的属性名称时,以不安全的方式将其传递给commons-jxpath库。由于commons-jxpath库在解析XPath表达式时允许执行任意代码,攻击者可以通过构造特定的输入,利用多个OGC请求参数(如WFS GetFeature、WFS GetPropertyValue、WMS GetMap等),在未经身份验证的情况下远程执行任意代码。

CVE-2024-36401-poc CVE-2024-36401是GeoServer中的一个高危远程代码执行漏洞。GeoServer是一款开源的地理数据服务器软件,主要用于发布、共享和处理各种地理空间数据。 漏洞原理: 该漏洞源于GeoServer在处理属性名称时,将其不安全地解析为XPath表达式。具体而言,GeoServer调用的GeoTools库API在评估

geoserver CVE-2024-36401漏洞利用工具

geoserver CVE-2024-36401 漏洞利用工具 geoserver CVE-2024-36401 环境:JDK8 声明:仅用于授权测试,用户滥用造成的一切后果和作者无关 请遵守法律法规! 1,默认payload: POST /geoserver/wfs HTTP/11 User-Agent: Mozilla/50 (Windows NT 100; Win64; x64) AppleWebKit/53736 (KHTML, like Gecko) Chrome/12406367118 Safari/53736 Accept-Encod

GeoServer Remote Code Execution

🚀 GeoServer Exploit for CVE-2024-36401 🚀 📝 Description GeoServer is an open-source Java-based software server that enables users to view, edit, and share geospatial data It offers a versatile and efficient solution for distributing geospatial information from various sources such as GIS databases, web-based data, and personal datasets In versions of GeoServer earlier

CVE-2024-36401-GeoServer Property 表达式注入 Rce woodpecker-framework 插件

CVE-2024-36401-WoodpeckerPlugin 安装 下载源码执行 mvn package 将 target 下的jar包放在 woodpecker-framework 下的 plugin 文件夹中 不想自编译,可以直接下载 CVE-2024-36401-WoodpeckerPlugin-10-SNAPSHOT-alljar 附件,放入 woodpecker-framework 下的 plugin 文件夹中 简介 Poc探测 Exp利用 poc

CVE-2024-36401 GeoServer Remote Code Execution

CVE-2024-36401 Usage python3 exploitpy Enter host (eg, examplecom/): targetcom/ Enter IP: Your IP Public/Host Ngrok Enter Listing Port: Your Port Listen

Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-36401.

CVE-2024-36401: GeoServer Unauthenticated Remote Code Execution Exploiter a Vulnerability detection and Exploitation tool for GeoServer Unauthenticated Remote Code Execution CVE-2024-36401 Installation git clone githubcom/RevoltSecurities/CVE-2024-36401git cd CVE-2024-34102 pip install -r requirementstxt python3 exploiterpy --help

🚀 JiaoSuInfoSec_T00ls_Win11 🔺角宿武器库 微信公众号:角宿安全 JiaoSuInfoSec 📢 环境提示: python39 sqlmapy python27 sqlmapy java -jar xxjar 本系统开发时得初衷:更快 更好 更简洁 更方便 更贴近 包含工具请查看下图工具矩阵:工具矩阵 🗺️更新 JiaoSuInfoSec_T00

简介 本脚本为验证GeoServer 远程代码执行漏洞(CVE-2024-36401) 使用方法:在1py中找到dnslog_domain填入你控制的域名,在1txt中导入目标,执行python 1py,查看日志对照生成的execution_timestxt以确认是否存在漏洞

geoserver CVE-2024-36401 一键漏洞利用工具

geoserver- geoserver CVE-2024-36401 一键漏洞利用工具

Mass scanner for CVE-2024-36401

GeoExplorer GeoExplorer is a mass scanner project consisting of a client and server component designed to test GeoServer instances for CVE-2024-36401 and log successful exploitations Project Structure client/: Contains the client-side Python script for sending specially crafted requests to abuse CVE-2024-36401 on GeoServer instances server/: Contains the server-side async Fa

CVE-2024-36401是GeoServer中的一个高危远程代码执行漏洞。GeoServer是一款开源的地理数据服务器软件,主要用于发布、共享和处理各种地理空间数据。 ALIYUN 漏洞原理: 该漏洞源于GeoServer在处理属性名称时,将其不安全地解析为XPath表达式。具体而言,GeoServer调用的GeoTools库API在评估要素类型的属性名称时,以不安全的方式将其传递给commons-jxpath库。由于commons-jxpath库在解析XPath表达式时允许执行任意代码,攻击者可以通过构造特定的输入,利用多个OGC请求参数(如WFS GetFeature、WFS GetPropertyValue、WMS GetMap等),在未经身份验证的情况下远程执行任意代码。

CVE-2024-36401-poc CVE-2024-36401是GeoServer中的一个高危远程代码执行漏洞。GeoServer是一款开源的地理数据服务器软件,主要用于发布、共享和处理各种地理空间数据。 漏洞原理: 该漏洞源于GeoServer在处理属性名称时,将其不安全地解析为XPath表达式。具体而言,GeoServer调用的GeoTools库API在评估

Proof-of-Concept Exploit for CVE-2024-36401 GeoServer 2.25.1

CVE-2024-36401-PoC Proof-of-Concept Exploit for CVE-2024-36401 GeoServer 2251

Nuclei Template to search for an Exposed GeoServer Web Panel

Nuclei Template to search for an Exposed GeoServer Web Panel This template will be useful in finding GeoServer instances, potentially vulnerable to CVE-2024-36401

docker-geoserver Dockerized GeoServer Important deprecation notice Old GeoServer versions affected by a severe security vulnerability have been removed from this repo to prevent damage Please update to most recent version where possible, or at least use a secure version: If you are in a version lower than 223x and you can't update, you will need to patch and build you

Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions

CVE-2024-36401 Remote Code Execution (RCE) Vulnerability In Evaluating Property Name Expressions

Recent Articles

CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
BleepingComputer • Lawrence Abrams • 16 Jul 2024

CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks By Lawrence Abrams July 16, 2024 06:14 PM 0 ​CISA is warning that a critical GeoServer GeoTools remote code execution flaw tracked as CVE-2024-36401 is being actively exploited in attacks. GeoServer is an open-source server that allows users to share, process, and modify geospatial data. On June 30th, GeoServer disclosed a critical 9.8 severity remote code execution vulnerability in its GeoTools plugin caused by unsafely e...