Arbitrary Code Execution Affecting org.geoserver.community:gs-jdbcconfig package, versions [,2.19.6) [2.20.0, 2.20.4)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGGEOSERVERCOMMUNITY-2733803
- published 14 Apr 2022
- disclosed 14 Apr 2022
- credit Unknown
Introduced: 14 Apr 2022
CVE-2022-24847 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
org.geoserver.community:gs-jdbcconfig is a GeoServer Catalog configuration management in a databse.
Affected versions of this package are vulnerable to Arbitrary Code Execution via an unchecked JNDI lookup, which in turn can be used to perform class deserialization. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.
Workaround
Restrict access to the geoserver/web
and geoserver/rest
via a firewall and ensure that the GeoWebCache is not remotely accessible.