The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.
The vulnerability, tracked as CVE-2024-36401 (CVSS score: 9.8), concerns a case of remote code execution that could be triggered through specially crafted input.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” according to an advisory released by the project maintainers earlier this month.
The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. Security researcher Steve Ikeoka has been credited with reporting the flaw.
It’s currently not clear how the vulnerability is being exploited in the wild. GeoServer noted that the issue is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
Also patched by maintainers is another critical flaw (CVE-2024-36404, CVSS score: 9.8) that could also result in RCE “if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.” It has been resolved in versions 29.6, 30.4, and 31.2.
In light of the active abuse of CVE-2024-36401, federal agencies are required to apply the vendor-provided fixes by August 5, 2024.
The development comes as reports have emerged about the active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510) that could be leveraged to escape the -dSAFER sandbox and run arbitrary code.
The vulnerability, addressed in version 10.03.1 following responsible disclosure by Codean Labs on March 14, 2024, has since been weaponized to obtain shell access to vulnerable systems, according to ReadMe developer Bill Mill.
