Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/jakabakos/CVE-2024-36401-GeoServer-RCE
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Readme
# RCE vulnerability in GeoServer (CVE-2024-36401) - detection script

CVE-2024-36401 is a critical security vulnerability affecting GeoServer, an open-source server for sharing geospatial data, and GeoTools, an open-source Java library that provides tools for geospatial data. The vulnerability, identified as a Remote Code Execution (RCE) flaw, enables attackers to execute arbitrary code on the affected systems. Detailed information on the vulnerability and its implications can be found in the advisories provided by the GeoServer and GeoTools projects.

According to the National Vulnerability Database (NVD), CVE-2024-36401 has a high severity rating, underscoring the urgency for affected users to apply necessary patches and mitigations. This vulnerability stems from improper input validation and insufficient security measures in handling geospatial data, making it a prime target for exploitation by malicious actors.

Further technical details and potential exploit scenarios are outlined in various security advisories and repositories, including the official GeoServer security advisory, GeoTools security advisory, and a detailed report by security researchers on GitHub. The vulnerability highlights the need for robust security practices in managing geospatial data infrastructures and the critical importance of timely updates and security patches to mitigate such high-risk vulnerabilities.

## Usage

```bash
# With starting a custom local OOB server
python3 detect.py --target http://localhost:8080 --type ws:states

# With remote OOB server (like Burp Collaborator)
python3 detect.py --target http://localhost:8080 --type ws:states --oob-server http://xxx.oaistify.com
```

## Disclaimer
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/7fbc05db7ded7eb37427e8f8a79940cd62d213f3
├── [3.4K]  detect.py
├── [1.0K]  LICENSE
└── [2.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →