"Organizations Warned of Exploited GeoServer Vulnerability"

The US cybersecurity agency CISA recently urged federal agencies to patch a critical severity vulnerability in GeoServer as soon as possible, warning of evidence of active exploitation.  The bug is tracked as CVE-2024-36401 (CVSS score of 9.8) and is described as the unsafe evaluation of property names as XPath expressions, which could allow unauthenticated attackers to execute code remotely through crafted input against a default GeoServer installation.  According to CISA, GeoServer, an open-source server for sharing and editing geospatial data, calls a GeoTools library API that fails to safely evaluate property/attribute names for feature types when passing them to a library that can execute code when evaluating XPath expressions.  CISA noted that because the XPath evaluation is incorrectly applied to simple feature types instead of being exclusive to complex feature types, the vulnerability affects all GeoServer instances.  The security defect can be exploited through various types of requests.  The remote code execution flaw was addressed with the release of GeoServer versions 2.23.6, 2.24.4, and 2.25.2.  GeoTools updates were also released to patch CVE-2024-36404 (CVSS score of 9.8), a remote code execution bug rooted in the evaluation of XPath expressions supplied by user input.

SecurityWeek reports: "Organizations Warned of Exploited GeoServer Vulnerability"