diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 40dbcabb558c..0447c25e12c6 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -101357,6 +101357,72 @@ "session_types": false, "needs_cleanup": true }, + "exploit_multi/http/geoserver_unauth_rce_cve_2024_36401": { + "name": "Geoserver unauthenticated Remote Code Execution", + "fullname": "exploit/multi/http/geoserver_unauth_rce_cve_2024_36401", + "aliases": [ + + ], + "rank": 600, + "disclosure_date": "2024-07-01", + "type": "exploit", + "author": [ + "h00die-gr3y ", + "jheysel-r7", + "Steve Ikeoka" + ], + "description": "GeoServer is an open-source software server written in Java that provides\n the ability to view, edit, and share geospatial data.\n It is designed to be a flexible, efficient solution for distributing geospatial data\n from a variety of sources such as Geographic Information System (GIS) databases,\n web-based data, and personal datasets.\n In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,\n multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users\n through specially crafted input against a default GeoServer installation due to unsafely\n evaluating property names as XPath expressions.\n An attacker can abuse this by sending a POST request with a malicious xpath expression\n to execute arbitrary commands as root on the system.", + "references": [ + "CVE-2024-36401", + "URL-https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv", + "URL-https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401", + "URL-https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401" + ], + "platform": "Linux,Unix", + "arch": "cmd, x86, x64, aarch64, armle", + "rport": 8080, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "Unix Command", + "Linux Dropper", + "Windows Command" + ], + "mod_time": "2024-07-12 13:38:59 +0000", + "path": "/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb", + "is_install_path": true, + "ref_name": "multi/http/geoserver_unauth_rce_cve_2024_36401", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": null + }, "exploit_multi/http/gestioip_exec": { "name": "GestioIP Remote Command Execution", "fullname": "exploit/multi/http/gestioip_exec",