CVE-2024-36404

CVSS V2 None CVSS V3 None
Description
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
Overview
  • CVE ID
  • CVE-2024-36404
  • Assigner
  • GitHub_M
  • Vulnerability Status
  • PUBLISHED
  • Published Version
  • 2024-07-02T13:39:35.716Z
  • Last Modified Date
  • 2024-07-02T13:39:35.716Z
Weakness Enumerations
CWE URL
CWE-95 http://cwe.mitre.org/data/definitions/95.html
References
Reference URL Reference Tags
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w x_refsource_CONFIRM
https://github.com/geotools/geotools/pull/4797 x_refsource_MISC
https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea x_refsource_MISC
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852 x_refsource_MISC
https://osgeo-org.atlassian.net/browse/GEOT-7587 x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4 x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download x_refsource_MISC
https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1 x_refsource_MISC
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2024-36404
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36404
History
Created Old Value New Value Data Type Notes
2024-07-03 13:12:04 Added to TrackCVE