Homepage
About Snyk

Arbitrary Code Execution Affecting org.geoserver.community:gs-jdbcconfig package, versions [,2.19.6) [2.20.0, 2.20.4)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.1% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGGEOSERVERCOMMUNITY-2733803
  • published 14 Apr 2022
  • disclosed 14 Apr 2022
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 14 Apr 2022

CVE-2022-24847 Open this link in a new tab
CWE-20 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

org.geoserver.community:gs-jdbcconfig is a GeoServer Catalog configuration management in a databse.

Affected versions of this package are vulnerable to Arbitrary Code Execution via an unchecked JNDI lookup, which in turn can be used to perform class deserialization. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.

Workaround

Restrict access to the geoserver/web and geoserver/rest via a firewall and ensure that the GeoWebCache is not remotely accessible.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.2 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

7.2 high