Main Vulnerability Database Vulnerabilities #VU129762

Deserialization of Untrusted Data in geoserver - CVE-2022-24847

Published: April 13, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU129762

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-24847

CWE-ID: CWE-502

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
geoserver

Software vendor:
geoserver

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in the GeoServer security mechanism, data store configuration, and disk quota mechanism when performing JNDI lookups through the GeoServer GUI or REST API. A remote privileged user can trigger an unchecked JNDI lookup to execute arbitrary code.

Exploitation requires administrative access and can occur through configuration changes made via the GeoServer GUI or REST API.

Remediation

Install security update from vendor's website.

External links

https://github.com/geoserver/geoserver/security/advisories/GHSA-4pm3-f52j-8ggh

Deserialization of Untrusted Data in geoserver - CVE-2022-24847

Description

Remediation

External links

Please verify you're human