CVE-2022-24847 is a vulnerability in Osgeo Geoserver
Published on April 13, 2022
Improper Input Validation in GeoServer
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.
Vulnerability Analysis
CVE-2022-24847 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2022-24847
Want to know whenever a new CVE is published for Osgeo Geoserver? stack.watch will email you.
Affected Versions
geoserver:- Version >= 2.20.0, < 2.20.4 is affected.
- Version < 2.19.6 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-24847
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.geoserver:gs-main | >= 2.20.0, < 2.20.4 | 2.20.4 |
| maven | org.geoserver:gs-main | < 2.19.6 | 2.19.6 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.