Main Vulnerability Database SB2022041378

SB2022041378 - Deserialization of Untrusted Data in geoserver

Published: April 13, 2022 Updated: May 5, 2026

Security Bulletin ID SB2022041378

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2022-24847)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the GeoServer security mechanism, data store configuration, and disk quota mechanism when performing JNDI lookups through the GeoServer GUI or REST API. A remote privileged user can trigger an unchecked JNDI lookup to execute arbitrary code.

Exploitation requires administrative access and can occur through configuration changes made via the GeoServer GUI or REST API.

Remediation

Install update from vendor's website.

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-4pm3-f52j-8ggh