GeoTools RCE via XPath Eval Before 31.2 (gt-complex)
CVE-2024-36404 Published on July 2, 2024
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
Vulnerability Analysis
CVE-2024-36404 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Eval Injection Vulnerability?
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). This may allow an attacker to execute arbitrary code, or at least modify what code can be executed.
CVE-2024-36404 has been classified to as an Eval Injection vulnerability or weakness.
Products Associated with CVE-2024-36404
Want to know whenever a new CVE is published for Geotools? stack.watch will email you.
Affected Versions
geotools:- Version < 29.6 is affected.
- Version >= 30.0, < 30.4 is affected.
- Version >= 31.0, < 31.2 is affected.
- Before 29.6 is affected.
- Version 30.0 and below 30.4 is affected.
- Version 31.0 and below 31.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.