{"vulnerability": "CVE-2022-4185", "sightings": [{"uuid": "e4c34f98-f616-46ea-92c1-1b1525543654", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/8062", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-36401\n\ud83d\udd25 CVSS Score: 9.8 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\ud83d\udd39 Description: GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.\n\nThe GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.\n\nVersions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.\n\ud83d\udccf Published: 2024-07-01T15:25:41.873Z\n\ud83d\udccf Modified: 2025-03-19T14:55:46.536Z\n\ud83d\udd17 References:\n1. https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv\n2. https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w\n3. https://github.com/geotools/geotools/pull/4797\n4. https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852\n5. https://osgeo-org.atlassian.net/browse/GEOT-7587", "creation_timestamp": "2025-03-19T15:17:44.000000Z"}, {"uuid": "a63d86c6-53e7-47c7-aa31-095364ca95b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "published-proof-of-concept", "source": "https://t.me/GithubRedTeam/5939", "content": "GitHub\u76d1\u63a7\u6d88\u606f\u63d0\u9192\uff01\uff01\uff01 \n\n\u66f4\u65b0\u4e86\uff1aRCE\n\u63cf\u8ff0\uff1aResearch into CVE-2022-41853. Using static functions to obtian RCE via Java Deserialization\nURL\uff1ahttps://github.com/mbadanoiu/CVE-2022-41853\n\n\u6807\u7b7e\uff1a#RCE", "creation_timestamp": "2023-11-24T11:55:10.000000Z"}, {"uuid": "615e1bac-b0c9-4d21-9cf8-46f6a1d6acbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "seen", "source": "https://t.me/arpsyndicate/2932", "content": "#ExploitObserverAlert\n\nCVE-2022-41853\n\nDESCRIPTION: Exploit Observer has 7 entries in 3 file formats related to CVE-2022-41853. Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.\n\nFIRST-EPSS: 0.007580000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2024-01-19T14:43:31.000000Z"}, {"uuid": "edbb6eb0-4032-483e-9255-b1197fe66ca6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41858", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/10750", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-41858\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.\n\ud83d\udccf Published: 2023-01-17T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-07T16:46:38.678Z\n\ud83d\udd17 References:\n1. https://github.com/torvalds/linux/commit/ec4eb8a86ade4d22633e1da2a7d85a846b7d1798\n2. https://security.netapp.com/advisory/ntap-20230223-0006/", "creation_timestamp": "2025-04-07T17:45:40.000000Z"}, {"uuid": "7318b929-6932-4aba-93bd-cb7286894736", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "Telegram/BbgDKgrCjAs5CoaxK7bbAqyVWEqK52CK1ocqdsJVUV8JCuI", "content": "", "creation_timestamp": "2024-04-02T20:37:29.000000Z"}, {"uuid": "816be7bb-430f-4165-a731-0eadc42d979e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "seen", "source": "https://t.me/arpsyndicate/767", "content": "#ExploitObserverAlert\n\nCVE-2022-41853\n\nDESCRIPTION: Exploit Observer has 9 entries related to CVE-2022-41853. Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.\n\nFIRST-EPSS: 0.007180000\nNVD-IS: 5.9\nNVD-ES: 3.9", "creation_timestamp": "2023-11-29T16:20:16.000000Z"}, {"uuid": "074dc525-b2c2-4536-bf3e-b561ec651070", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/LockBitRaasRansomware/14399", "content": "", "creation_timestamp": "2024-04-02T20:37:30.000000Z"}, {"uuid": "f7e1084c-faec-476c-8f08-8d1f236d5930", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/proxy_bar/1053", "content": "CVE-2022-41852\nRCE in JXPath Library \n\u0412\u043d\u0438\u043c\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0447\u0438\u0442\u0430\u0435\u043c About", "creation_timestamp": "2022-10-21T20:22:06.000000Z"}, {"uuid": "d2afc425-fd26-43e0-acc5-e8ebd64823fc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/wireshark_hacking/769", "content": "CVE-2022-41852\nRCE in JXPath Library \n\u0412\u043d\u0438\u043c\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0447\u0438\u0442\u0430\u0435\u043c About", "creation_timestamp": "2022-10-15T10:59:08.000000Z"}, {"uuid": "2a976305-f4c9-4113-b941-e736a59c6005", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "Telegram/Q5Fejp7LhFOfhKinSoZ9Tvvv4SxjT_mKy-yfk9_dFJv6020", "content": "", "creation_timestamp": "2022-10-24T07:54:04.000000Z"}, {"uuid": "b0aa039f-36c0-48aa-95bf-743f64386ef7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "Telegram/QOyLEkw0yy9hNU3pXPWg3dYPxEeEfJeRh-j1_1pPhTaDgUE", "content": "", "creation_timestamp": "2022-11-17T11:10:13.000000Z"}, {"uuid": "f5d69e0f-7321-4017-a3b2-bf5281d1b81b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/breachdetector/137803", "content": "{\n  \"Source\": \"https://t.me/documentors\",\n  \"Content\": \"CVE-2022-4185.zip 6.1 kB \ud83d\udca5Apache Commons JXPath RCE (CVE-2022-41852) People who use JXPath to interpret untrusted XPath expressions may be vulnerable to RCE attacks. All JXPathContext class functions that deal with XPath strings are vulnerable, except the compile() and compilePath() functions. An attacker can use an XPath expression to load any Java class from the classpath, resulting in code execution. To load remote configuration to achieve RCE we can use two class constructors in spring: org.springframework.context.support.ClassPathXmlApplicationContext org.springframework.context.support.FileSystemXmlApplicationContext \ud83d\udcbeAnother analysis + PoC\", \n  \"author\": \"\u2693\ufe0f\ud835\udd07\ud835\udd2c\ud835\udd20\ud835\udd32\ud835\udd2a\ud835\udd22\ud835\udd2b\ud835\udd31\ud835\udd2c\ud835\udd2f\",\n  \"Detection Date\": \"07 Nov 2022\",\n  \"Type\": \"Data leak\"\n}\n\ud83d\udd39 Data Leak monitoring system\ud83d\udd39", "creation_timestamp": "2022-11-07T17:22:16.000000Z"}, {"uuid": "a9a581cb-9164-4a4e-856d-64b385f712ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-4185", "type": "published-proof-of-concept", "source": "https://t.me/breachdetector/137803", "content": "{\n  \"Source\": \"https://t.me/documentors\",\n  \"Content\": \"CVE-2022-4185.zip 6.1 kB \ud83d\udca5Apache Commons JXPath RCE (CVE-2022-41852) People who use JXPath to interpret untrusted XPath expressions may be vulnerable to RCE attacks. All JXPathContext class functions that deal with XPath strings are vulnerable, except the compile() and compilePath() functions. An attacker can use an XPath expression to load any Java class from the classpath, resulting in code execution. To load remote configuration to achieve RCE we can use two class constructors in spring: org.springframework.context.support.ClassPathXmlApplicationContext org.springframework.context.support.FileSystemXmlApplicationContext \ud83d\udcbeAnother analysis + PoC\", \n  \"author\": \"\u2693\ufe0f\ud835\udd07\ud835\udd2c\ud835\udd20\ud835\udd32\ud835\udd2a\ud835\udd22\ud835\udd2b\ud835\udd31\ud835\udd2c\ud835\udd2f\",\n  \"Detection Date\": \"07 Nov 2022\",\n  \"Type\": \"Data leak\"\n}\n\ud83d\udd39 Data Leak monitoring system\ud83d\udd39", "creation_timestamp": "2022-11-07T17:22:16.000000Z"}, {"uuid": "b40831ce-3884-4185-a009-7eb614ec7eb1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41859", "type": "seen", "source": "https://t.me/cibsecurity/56600", "content": "\u203c CVE-2022-41859 \u203c\n\nIn freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-17T20:40:15.000000Z"}, {"uuid": "3da52ccb-7e1e-4064-999a-10d7658069d3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41858", "type": "seen", "source": "https://t.me/cibsecurity/56604", "content": "\u203c CVE-2022-41858 \u203c\n\nA flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-17T20:40:19.000000Z"}, {"uuid": "2be2b2dd-e894-4913-9921-3c512d56de35", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "seen", "source": "https://t.me/cibsecurity/50923", "content": "\u203c CVE-2022-41853 \u203c\n\nThose using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property \"hsqldb.method_class_names\" to classes which are allowed to be called. For example, System.setProperty(\"hsqldb.method_class_names\", \"abc\") or Java argument -Dhsqldb.method_class_names=\"abc\" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-10-06T22:23:00.000000Z"}, {"uuid": "74ddca9c-2aa7-4236-9b34-4649a95e1667", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41851", "type": "seen", "source": "https://t.me/cibsecurity/51096", "content": "\u203c CVE-2022-41851 \u203c\n\nA vulnerability has been identified in JTTK (All versions < V11.1.1.0), Simcenter Femap V2022.1 (All versions < V2022.1.3), Simcenter Femap V2022.2 (All versions < V2022.2.2). The JTTK library is vulnerable to an uninitialized pointer reference vulnerability while parsing specially crafted JT files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-16973)\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-10-13T09:01:23.000000Z"}, {"uuid": "e3af9c6f-0765-4bb1-9e23-f5eb2e1bc8b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7133", "content": "#Threat_Research\n1. Apache Commons JXPath RCE (CVE-2022-41852)\nhttps://xz.aliyun.com/t/11813\n2. Vulnerability package analysis in InfraSuite Device Master\nhttps://tttang.com/archive/1806/#toc_cve-2022-41778\n3. Malicious Python Packages Replace Crypto Addresses in Developer Clipboards\nhttps://blog.phylum.io/pypi-malware-replaces-crypto-addresses-in-developers-clipboard", "creation_timestamp": "2022-11-09T11:03:03.000000Z"}, {"uuid": "7eabf581-9c51-47a8-9760-8508c27f0093", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "published-proof-of-concept", "source": "https://t.me/Rootsec_2/2096", "content": "#exploit\n1. CVE-2023-47444:\nAuthenticated Static Code Injections in OpenCart\nhttps://0xbro.red/disclosures/disclosed-vulnerabilities/opencart-cve-2023-47444\n\n2. CVE-2022-41853:\nUsing static functions to obtian RCE via Java Deserialization & Remote Codebase Attack\nhttps://github.com/mbadanoiu/CVE-2022-41853\n\n3. CVE-2023-3452:\nWordpress Plugin Canto < 3.0.5 - RFI/RCE Unauthenticated\nhttps://github.com/leoanggal1/CVE-2023-3452-PoC", "creation_timestamp": "2024-08-16T08:52:58.000000Z"}, {"uuid": "9bdc8762-6f3c-472d-afb7-f738cf5588a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41852", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/1251", "content": "", "creation_timestamp": "2022-10-18T17:10:24.000000Z"}, {"uuid": "c3853394-d17c-4c5f-998a-eb9ce14abfda", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-41853", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/9459", "content": "#exploit\n1. CVE-2023-47444:\nAuthenticated Static Code Injections in OpenCart\nhttps://0xbro.red/disclosures/disclosed-vulnerabilities/opencart-cve-2023-47444\n\n2. CVE-2022-41853:\nUsing static functions to obtian RCE via Java Deserialization & Remote Codebase Attack\nhttps://github.com/mbadanoiu/CVE-2022-41853\n\n3. CVE-2023-3452:\nWordpress Plugin Canto < 3.0.5 - RFI/RCE Unauthenticated\nhttps://github.com/leoanggal1/CVE-2023-3452-PoC", "creation_timestamp": "2023-11-25T12:25:42.000000Z"}]}