GeoServer and GeoTools Security Update Advisory (CVE-2024-36401)

Overview

GeoServer(https://geoserver.org/) and GeoTools(https://geotools.org/) have released security updates that address vulnerabilities in their products. users of these products are advised to update to the latest versions.
 

Affected Products

• GeoServer versions: ~ 2.23.6 (excluding)
• GeoServer versions: 2.24.0 (included) to 2.24.4 (excluded)
• GeoServer versions: 2.25.0 (inclusive) to 2.25.2 (excluded)

 

• GeoTools version: ~ 29.6 (excluded)
• GeoTools version: 30.0 (inclusive) to 30.4 (excluded)
• GeoTools versions: 31.0 (inclusive) to 31.2 (exclusive)

 

Resolved Vulnerabilities

vulnerability in multiple OGC request parameters that could allow an unauthenticated user to perform remote code execution (RCE) against the default GeoServer installation via specially crafted input (GeoServer)
vulnerability that could allow remote code execution (RCE) when evaluating XPath expressions supplied as user input using certain GeoTools features (GeoTools)

Vulnerability Patches

• GeoServer version: 2.23.6
• GeoServer version: 2.24.4
• GeoServer version: 2.25.2

 

• GeoTools version: 29.6
• GeoTools Version: 30.4
• GeoTools version: 31.2

 

Referenced Sites

[1] CVE-2024-36401 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-36401

[2] Remote Code Execution (RCE) vulnerability in geoserver

https://github.com/advisories/GHSA-6jj6-gm7p-fcvv

[3] Remote Code Execution (RCE) vulnerability in evaluating XPath expressions

https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w