What is CVE-2022-24847?

CVE-2022-24847 is a vulnerability in GeoServer, an open source software server written in Java, that allows for arbitrary code execution through unchecked JNDI lookup and class deserialization.

How does CVE-2022-24847 affect GeoServer?

CVE-2022-24847 affects GeoServer versions up to 2.19.6 and versions between 2.20.0 and 2.20.4.

What is the severity of CVE-2022-24847?

CVE-2022-24847 has a severity rating of 7.2, which is considered high.

How can CVE-2022-24847 be exploited?

CVE-2022-24847 can be exploited through unchecked JNDI lookup, which leads to class deserialization and allows for arbitrary code execution.

Is there a fix available for CVE-2022-24847?

Yes, the fix for CVE-2022-24847 is to update your GeoServer software to a version that includes the necessary security patches.

Vulnerability/
CVE-2022-24847

high

7.2

CWE

917 20

13/4/2022

3/8/2024

CVE-2022-24847: Improper Input Validation in GeoServer

First published: Wed Apr 13 2022(Updated: )

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that the GeoWebCache is not remotely accessible.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
OSGeo GeoServer	<2.19.6
OSGeo GeoServer	>=2.20.0<2.20.4

Never miss a vulnerability like this again

Reference Links

https://github.com/geoserver/geoserver/security/advisories/GHSA-4pm3-f52j-8ggh

Frequently Asked Questions

What is CVE-2022-24847?
CVE-2022-24847 is a vulnerability in GeoServer, an open source software server written in Java, that allows for arbitrary code execution through unchecked JNDI lookup and class deserialization.
How does CVE-2022-24847 affect GeoServer?
CVE-2022-24847 affects GeoServer versions up to 2.19.6 and versions between 2.20.0 and 2.20.4.
What is the severity of CVE-2022-24847?
CVE-2022-24847 has a severity rating of 7.2, which is considered high.
How can CVE-2022-24847 be exploited?
CVE-2022-24847 can be exploited through unchecked JNDI lookup, which leads to class deserialization and allows for arbitrary code execution.
Is there a fix available for CVE-2022-24847?
Yes, the fix for CVE-2022-24847 is to update your GeoServer software to a version that includes the necessary security patches.

agent/type
collector/nvd-index
agent/software-canonical-lookup-request
agent/weakness
agent/references
agent/author
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/title
agent/last-modified-date
agent/severity
agent/first-publish-date
agent/event
agent/tags
vendor/osgeo
canonical/osgeo geoserver
version/osgeo geoserver/2.20.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.