The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting OSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The vulnerability, tracked as CVE-2024-36401 (CVSS score: 9.8), concerns a case of remote code execution that could be triggered through specially crafted input.
“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” according to an advisory released by the project maintainers earlier this month.
The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. Security researcher Steve Ikeoka has been credited with reporting the flaw.
It’s currently not clear how the vulnerability is being exploited in the wild. GeoServer noted that the issue is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”
Also patched by maintainers is another critical flaw (CVE-2024-36404, CVSS score: 9.8) that could also result in RCE “if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.” It has been resolved in versions 29.6, 30.4, and 31.2.
In light of the active abuse of CVE-2024-36401, federal agencies are required to apply the vendor-provided fixes by August 5, 2024.
The development comes as reports have emerged about the active exploitation of a remote code execution vulnerability in the Ghostscript document conversion toolkit (CVE-2024-29510) that could be leveraged to escape the -dSAFER sandbox and run arbitrary code.
The vulnerability, addressed in version 10.03.1 following responsible disclosure by Codean Labs on March 14, 2024, has since been weaponized to obtain shell access to vulnerable systems, according to ReadMe developer Bill Mill.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
GitHub Token Leak Exposes Python’s Core Repositories to Potential Attacks