admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-06-20 09:50:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Create GeoServer Code Execution Vulnerability

Browse Source
This commit is contained in:
Goby 2024-07-03 18:55:19 +08:00 committed by GitHub
parent 35b028ab12
commit 10d4fc021b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
GeoServer Code Execution Vulnerability Normal file
View File

@ -0,0 +1,14 @@
**Updated document date: July 3, 2024**
## GeoServer /geoserver/wfs Code Execution Vulnerability(CVE-2024-36401)
| **Vulnerability** | GeoServer /geoserver/wfs Code Execution Vulnerability(CVE-2024-36401) |
| :----: | :-----|
| **Chinese name** | GeoServer /geoserver/wfs 远程代码执行漏洞CVE-2024-36401 |
| **CVSS core** | 9.8 |
| **FOFA Query** (click to view the results directly)| [ app="GeoServer"](https://fofa.info/result?qbase64=Ym9keT0iL29yZy5nZW9zZXJ2ZXIud2ViLkdlb1NlcnZlckJhc2VQYWdlLyIgfHwgYm9keT0iY2xhc3M9XCJnZW9zZXJ2ZXIgbGViZWciIHx8IGJvZHk9Ii93ZWJhcHBzL2dlb3NlcnZlciIgfHwgKGJvZHk9IndpbmRvdy5sb2NhdGlvbi5yZXBsYWNlKFwid2ViL1wiKTsiICYmIGJvZHk9Imdlb3NlcnZlciIpIHx8IHRpdGxlPSJHZW9TZXJ2ZXIi)|
| **Number of assets affected** | 7962 |
| **Description** |GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.|
| **Impact** | The attacker can inject malicious parameters through a specific query string to execute arbitrary code to take over the server.|
![](https://s3.bmp.ovh/imgs/2024/07/03/6095c50407de1221.gif)