CISA Known Exploited Vulnerability
This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.
Remediation Deadline: Aug 5, 2024
Description
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
EPSS — Exploit Probability
Higher than 100.0% of all CVEs
Required Action
This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://nvd.nist.gov/vuln/detail/CVE-2024-36401
Risk Assessment
HIGHDetails
- Severity
- High
- EPSS
- 94.4%
- CISA KEV
- Yes
- Ransomware
- Unknown
- Articles
- 0
Timeline
Published
Jul 15, 2024
Added to KEV
Jul 15, 2024
Remediation Due
Aug 5, 2024