July 16, 2024Newsroom Vulnerabilities / Infrastructure Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a important safety flaw affecting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
GeoServer is an open supply software program server written in Java that permits customers to share and edit geospatial knowledge. It is a reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) requirements.
The vulnerability, tracked as CVE-2024-36401 (CVSS rating: 9.8), pertains to a case of distant code execution that may very well be triggered by specifically crafted enter.
“Several OGC request parameters forestall property names from being safely evaluated as XPath expressions, permitting an unauthenticated consumer to allow distant code execution (RCE) by way of specifically crafted enter towards a default GeoServer set up,” reads an advisory printed by venture maintainers earlier this month.
The flaw has been mounted in variations 2.23.6, 2.24.4 and a pair of.25.2 and was reported by safety researcher Steve Ikeoka.
At this time, it isn’t clear how the vulnerability could be exploited, though GeoServer notes that the difficulty “has been confirmed to be exploitable by way of WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInformation, WMS GetLegendGraphic, and WPS Execute requests.”
Another important flaw (CVE-2024-36404, CVSS rating: 9.8), which was additionally mounted by the maintainers, might additionally result in an RCE “when an utility makes use of sure GeoTools performance to judge XPath expressions supplied by consumer enter.” This has been resolved in variations 29.6, 30.4, and 31.2.
Given that CVE-2024-36401 is being actively exploited, federal businesses ought to apply vendor-supplied fixes by August 5, 2024.
According to ReadMe developer Bill Mill, the vulnerability was addressed in model 10.03.1 after accountable disclosure by Codean Labs on March 14, 2024, and was subsequently weaponized to achieve shell entry to susceptible methods.
Did you discover this text fascinating? Follow us Twitter: To learn extra unique content material we submit, test us out on LinkedIn.
Source hyperlink