Vulnerabilites related to geotools - geotools
CVE-2024-36401 (GCVE-0-2024-36401)
Vulnerability from cvelistv5
Published
2024-07-01 15:25
Modified
2025-07-30 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv | x_refsource_CONFIRM | |
| https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w | x_refsource_MISC | |
| https://github.com/geotools/geotools/pull/4797 | x_refsource_MISC | |
| https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 | x_refsource_MISC | |
| https://osgeo-org.atlassian.net/browse/GEOT-7587 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.23.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.24.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.24.4",
"status": "affected",
"version": "2.24.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geoserver:geoserver:2.25.0:-:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"lessThan": "2.25.2",
"status": "affected",
"version": "2.25.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36401",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-13T03:55:17.574252Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-07-15",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:00.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2024-07-15T00:00:00+00:00",
"value": "CVE-2024-36401 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.23.0, \u003c 2.23.6"
},
{
"status": "affected",
"version": "\u003e= 2.24.0, \u003c 2.24.4"
},
{
"status": "affected",
"version": "\u003e= 2.25.0, \u003c 2.25.2"
},
{
"status": "affected",
"version": "\u003c 2.22.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:55:46.536Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
}
],
"source": {
"advisory": "GHSA-6jj6-gm7p-fcvv",
"discovery": "UNKNOWN"
},
"title": "Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36401",
"datePublished": "2024-07-01T15:25:41.873Z",
"dateReserved": "2024-05-27T15:59:57.030Z",
"dateUpdated": "2025-07-30T01:37:00.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24818 (GCVE-0-2022-24818)
Vulnerability from cvelistv5
Published
2022-04-13 20:55
Modified
2025-04-23 18:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x | x_refsource_CONFIRM | |
| https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:50.507Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24818",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:30.478274Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:40:15.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003e= 26.0, \u003c 26.4"
},
{
"status": "affected",
"version": "\u003e= 25.0, \u003c 25.6"
},
{
"status": "affected",
"version": "\u003c 24.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-13T20:55:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
],
"source": {
"advisory": "GHSA-jvh2-668r-g75x",
"discovery": "UNKNOWN"
},
"title": "Unchecked JNDI lookups in GeoTools",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24818",
"STATE": "PUBLIC",
"TITLE": "Unchecked JNDI lookups in GeoTools"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "geotools",
"version": {
"version_data": [
{
"version_value": "\u003e= 26.0, \u003c 26.4"
},
{
"version_value": "\u003e= 25.0, \u003c 25.6"
},
{
"version_value": "\u003c 24.6"
}
]
}
}
]
},
"vendor_name": "geotools"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x",
"refsource": "CONFIRM",
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"name": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"refsource": "MISC",
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
}
]
},
"source": {
"advisory": "GHSA-jvh2-668r-g75x",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24818",
"datePublished": "2022-04-13T20:55:12.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:40:15.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36404 (GCVE-0-2024-36404)
Vulnerability from cvelistv5
Published
2024-07-02 13:39
Modified
2024-08-02 03:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Summary
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
References
Impacted products
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "29.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "30.4",
"status": "affected",
"version": "30.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"lessThan": "31.2",
"status": "affected",
"version": "31.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36404",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T03:55:24.839633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-15T12:17:05.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:37:05.024Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003c 29.6"
},
{
"status": "affected",
"version": "\u003e= 30.0, \u003c 30.4"
},
{
"status": "affected",
"version": "\u003e= 31.0, \u003c 31.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one\u0027s application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T13:39:35.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"name": "https://github.com/geotools/geotools/pull/4797",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
},
{
"name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"name": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
"tags": [
"x_refsource_MISC"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
},
{
"name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
}
],
"source": {
"advisory": "GHSA-w3pj-wh35-fq8w",
"discovery": "UNKNOWN"
},
"title": "GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36404",
"datePublished": "2024-07-02T13:39:35.716Z",
"dateReserved": "2024-05-27T15:59:57.031Z",
"dateUpdated": "2024-08-02T03:37:05.024Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-30220 (GCVE-0-2025-30220)
Vulnerability from cvelistv5
Published
2025-06-10 15:16
Modified
2025-06-10 17:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc | x_refsource_CONFIRM | |
| https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc | x_refsource_MISC | |
| https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw | x_refsource_MISC | |
| https://github.com/geonetwork/core-geonetwork/pull/8757 | x_refsource_MISC | |
| https://github.com/geonetwork/core-geonetwork/pull/8803 | x_refsource_MISC | |
| https://github.com/geonetwork/core-geonetwork/pull/8812 | x_refsource_MISC | |
| https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T17:13:03.887707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T17:13:09.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geoserver",
"vendor": "geoserver",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.27.0, \u003c 2.27.1"
},
{
"status": "affected",
"version": "\u003e= 2.26.0, \u003c 2.26.3"
},
{
"status": "affected",
"version": "\u003c 2.25.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-10T15:16:39.339Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8757",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"name": "https://github.com/geonetwork/core-geonetwork/pull/8812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"name": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
}
],
"source": {
"advisory": "GHSA-jj54-8f66-c5pc",
"discovery": "UNKNOWN"
},
"title": "GeoTools, GeoServer, and GeoNetwork XML External Entity (XXE) Processing Vulnerability in XSD schema handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-30220",
"datePublished": "2025-06-10T15:16:39.339Z",
"dateReserved": "2025-03-18T18:15:13.851Z",
"dateUpdated": "2025-06-10T17:13:09.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25158 (GCVE-0-2023-25158)
Vulnerability from cvelistv5
Published
2023-02-21 20:57
Modified
2025-03-10 21:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m | x_refsource_CONFIRM | |
| https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:18:36.170Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"name": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T20:59:06.366397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:07:23.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "geotools",
"vendor": "geotools",
"versions": [
{
"status": "affected",
"version": "\u003e= 28.0, \u003c 28.2"
},
{
"status": "affected",
"version": "\u003c 27.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-21T20:57:47.754Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"name": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
}
],
"source": {
"advisory": "GHSA-99c3-qc2q-p94m",
"discovery": "UNKNOWN"
},
"title": "Unfiltered SQL Injection in Geotools"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25158",
"datePublished": "2023-02-21T20:57:47.754Z",
"dateReserved": "2023-02-03T16:59:18.244Z",
"dateUpdated": "2025-03-10T21:07:23.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-02-21 21:15
Modified
2024-11-21 07:49
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C176DA1D-2F0C-4851-B8F2-4E4B89EF846A",
"versionEndExcluding": "24.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DEC4D52-9DB7-4B98-B303-A85A25B2FF99",
"versionEndExcluding": "25.7",
"versionStartIncluding": "25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "41A8AAAE-AD5F-480B-B4E3-1856A7A5F3EB",
"versionEndExcluding": "26.7",
"versionStartIncluding": "26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6675E1F5-3717-414F-A839-4DE8F36FE1D0",
"versionEndExcluding": "27.4",
"versionStartIncluding": "27.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F011666-B3FF-4EA0-833B-E9738097FDAB",
"versionEndExcluding": "28.2",
"versionStartIncluding": "28.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. GeoTools includes support for OGC Filter expression language parsing, encoding and execution against a range of datastore. SQL Injection Vulnerabilities have been found when executing OGC Filters with JDBCDataStore implementations. Users are advised to upgrade to either version 27.4 or to 28.2 to resolve this issue. Users unable to upgrade may disable `encode functions` for PostGIS DataStores or enable `prepared statements` for JDBCDataStores as a partial mitigation."
}
],
"id": "CVE-2023-25158",
"lastModified": "2024-11-21T07:49:13.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-21T21:15:11.157",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/geotools/geotools/commit/64fb4c47f43ca818c2fe96a94651bff1b3b3ed2b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-13 21:15
Modified
2024-11-21 06:51
Severity ?
8.2 (High) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F68492E7-1B2A-4854-B4EE-921899EC15D9",
"versionEndExcluding": "24.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CEC38324-CCBF-46BE-9D58-1D821EAB22D9",
"versionEndExcluding": "25.6",
"versionStartIncluding": "25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3235DAF-46D9-4ACD-8D36-467B26513BA7",
"versionEndExcluding": "26.4",
"versionStartIncluding": "26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings."
},
{
"lang": "es",
"value": "GeoTools es una biblioteca Java de c\u00f3digo abierto que proporciona herramientas para datos geoespaciales. La biblioteca GeoTools presenta una serie de fuentes de datos que pueden llevar a cabo b\u00fasquedas JNDI no verificadas, que a su vez pueden ser usadas para llevar a cabo una deserializaci\u00f3n de clases y resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario. Al igual que en el caso de Log4J, la vulnerabilidad puede desencadenarse si los nombres JNDI son proporcionados por el usuario, pero requiere un inicio de sesi\u00f3n a nivel de administrador para activarse. Las b\u00fasquedas est\u00e1n ahora restringidas en GeoTools versi\u00f3n 26.4, GeoTools versi\u00f3n 25.6 y GeoTools versi\u00f3n 24.6. Los usuarios que no puedan actualizar deben asegurarse de que cualquier aplicaci\u00f3n posterior no permita el uso de cadenas JNDI proporcionadas de forma remota"
}
],
"id": "CVE-2022-24818",
"lastModified": "2024-11-21T06:51:09.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-13T21:15:07.753",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-07-01 16:15
Modified
2025-08-25 02:17
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
References
Impacted products
{
"cisaActionDue": "2024-08-05",
"cisaExploitAdd": "2024-07-15",
"cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
"cisaVulnerabilityName": "OSGeo GeoServer GeoTools Eval Injection Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE0EE582-FAE7-4528-9A5E-6E56EB1DE345",
"versionEndExcluding": "2.22.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0069EB0E-BF96-47F5-8A02-13F9FA6C15D8",
"versionEndExcluding": "2.23.6",
"versionStartIncluding": "2.23.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A407E94-A7F2-4A4F-B96E-2B3DC8FF6DF3",
"versionEndExcluding": "2.24.4",
"versionStartIncluding": "2.24.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geoserver:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CFBAEC7A-6250-45FE-AB54-30D72C03F62D",
"versionEndExcluding": "2.25.2",
"versionStartIncluding": "2.25.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "732DE428-3515-459F-AE5F-08407BA1A049",
"versionEndExcluding": "29.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E338785-9877-4731-B095-E40C86D89577",
"versionEndExcluding": "30.4",
"versionStartIncluding": "30.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "956C1035-1771-4DBE-9B23-815DB6ECB8BF",
"versionEndExcluding": "31.2",
"versionStartIncluding": "31.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:30.0:-:*:*:*:*:*:*",
"matchCriteriaId": "CCE433A3-886D-4CBB-9696-660F517FBFEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:30.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "CEB40BCD-6D65-4DC8-A0BF-F5736D543B59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:31.0:-:*:*:*:*:*:*",
"matchCriteriaId": "75B1DF89-EFC1-4F5A-881E-495AE00E820B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:31.0:rc:*:*:*:*:*:*",
"matchCriteriaId": "72752A30-52B9-4E95-90F8-A807618B5313",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. Antes de las versiones 2.23.6, 2.24.4 y 2.25.2, varios par\u00e1metros de solicitud de OGC permit\u00edan la ejecuci\u00f3n remota de c\u00f3digo (RCE) por parte de usuarios no autenticados a trav\u00e9s de entradas especialmente dise\u00f1adas en una instalaci\u00f3n predeterminada de GeoServer debido a la evaluaci\u00f3n insegura de nombres de propiedades como expresiones XPath. La API de la librer\u00eda GeoTools a la que llama GeoServer eval\u00faa los nombres de propiedades/atributos para tipos de entidades de una manera que los pasa de manera insegura a la librer\u00eda commons-jxpath, que puede ejecutar c\u00f3digo arbitrario al evaluar expresiones XPath. Esta evaluaci\u00f3n XPath est\u00e1 destinada a ser utilizada \u00fanicamente por tipos de funciones complejas (es decir, almacenes de datos de esquemas de aplicaci\u00f3n), pero tambi\u00e9n se aplica incorrectamente a tipos de funciones simples, lo que hace que esta vulnerabilidad se aplique a **TODAS** las instancias de GeoServer. No se proporciona ninguna PoC p\u00fablica, pero se ha confirmado que esta vulnerabilidad es explotable a trav\u00e9s de solicitudes WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic y WPS Execute. Esta vulnerabilidad puede llevar a la ejecuci\u00f3n de c\u00f3digo arbitrario. Las versiones 2.23.6, 2.24.4 y 2.25.2 contienen un parche para el problema. Existe una workaround eliminando el archivo `gt-complex-xyjar` del GeoServer donde `xy` es la versi\u00f3n de GeoTools (por ejemplo, `gt-complex-31.1.jar` si ejecuta GeoServer 2.25.1). Esto eliminar\u00e1 el c\u00f3digo vulnerable de GeoServer, pero puede interrumpir algunas funciones de GeoServer o evitar que GeoServer se implemente si se necesita el m\u00f3dulo gt-complex."
}
],
"id": "CVE-2024-36401",
"lastModified": "2025-08-25T02:17:03.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-01T16:15:04.120",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-95"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-10 16:15
Modified
2025-08-26 16:10
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "319F63C7-7B2E-43CB-A91D-536D0D5D66BE",
"versionEndExcluding": "28.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "26F4D869-28DC-4F07-A122-B93D948EBBCF",
"versionEndExcluding": "31.7",
"versionStartIncluding": "29.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C145224-639E-45FB-8413-C1570B9F23B6",
"versionEndExcluding": "32.3",
"versionStartIncluding": "32.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:geotools:geotools:33.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D95F0CB7-D8DF-44D3-9967-34A73AF85BAE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3595E000-B460-4BA9-AC3E-A8678FBD9899",
"versionEndExcluding": "4.2.13",
"versionStartIncluding": "4.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osgeo:geonetwork:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5B335EE-0493-44DE-A385-141AA2E777E7",
"versionEndExcluding": "4.4.8",
"versionStartIncluding": "4.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F0B3A06-FC80-4BDD-8E00-1AE8D51A5930",
"versionEndExcluding": "2.25.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "657234C4-41D0-4CD9-B1DD-BBF565C608C6",
"versionEndExcluding": "2.26.3",
"versionStartIncluding": "2.26.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:osgeo:geoserver:2.27.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6F80D593-ADBB-46EC-B1DC-F154B6385E22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GeoServer is an open source server that allows users to share and edit geospatial data. GeoTools Schema class use of Eclipse XSD library to represent schema data structure is vulnerable to XML External Entity (XXE) exploit. This impacts whoever exposes XML processing with gt-xsd-core involved in parsing, when the documents carry a reference to an external XML schema. The gt-xsd-core Schemas class is not using the EntityResolver provided by the ParserHandler (if any was configured). This also impacts users of gt-wfs-ng DataStore where the ENTITY_RESOLVER connection parameter was not being used as intended. This vulnerability is fixed in GeoTools 33.1, 32.3, 31.7, and 28.6.1, GeoServer 2.27.1, 2.26.3, and 2.25.7, and GeoNetwork 4.4.8 and 4.2.13."
},
{
"lang": "es",
"value": "GeoServer es un servidor de c\u00f3digo abierto que permite a los usuarios compartir y editar datos geoespaciales. El uso de la librer\u00eda XSD de Eclipse por parte de la clase Esquema de GeoTools para representar la estructura de datos del esquema es vulnerable a la vulnerabilidad de Entidad Externa XML (XXE). Esto afecta a quien exponga el procesamiento XML con gt-xsd-core involucrado en el an\u00e1lisis, cuando los documentos contienen una referencia a un esquema XML externo. La clase Esquemas de gt-xsd-core no utiliza el EntityResolver proporcionado por ParserHandler (si se configur\u00f3 alguno). Esto tambi\u00e9n afecta a los usuarios del almac\u00e9n de datos gt-wfs-ng donde el par\u00e1metro de conexi\u00f3n ENTITY_RESOLVER no se utilizaba correctamente. Esta vulnerabilidad est\u00e1 corregida en GeoTools 33.1, 32.3, 31.7 y 28.6.1, GeoServer 2.27.1, 2.26.3 y 2.25.7, y GeoNetwork 4.4.8 y 4.2.13."
}
],
"id": "CVE-2025-30220",
"lastModified": "2025-08-26T16:10:11.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.3,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-06-10T16:15:37.387",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8757"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8803"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/geonetwork/core-geonetwork/pull/8812"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geonetwork/core-geonetwork/security/advisories/GHSA-2p76-gc46-5fvc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/geoserver/geoserver/security/advisories/GHSA-jj54-8f66-c5pc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-826p-4gcg-35vw"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}