7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24847

GHSA ID

GHSA-4pm3-f52j-8ggh

EPSS Score

0.35924%

CWE

CWE-20

Published

4/22/2022

Updated

6/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24847

CVE-2022-24847: Improper Input Validation in GeoServer

Impact

The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API.

Patches

The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 2.19.6.

Workarounds

Protection can be achieved by making the GUI (geoserver/web), the REST configuration (geoserver/rest) and the embedded GeoWebCache configuration (geoserver/gwc/rest) unreachable from remote hosts, in addition to protecting access to the file system where the GeoServer configuration is stored.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24847

GHSA ID

GHSA-4pm3-f52j-8ggh

EPSS Score

0.35924%

CWE

CWE-20

Published

4/22/2022

Updated

6/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.geoserver:gs-main	maven	>= 2.20.0, < 2.20.4	2.20.4
org.geoserver:gs-main	maven	< 2.19.6	2.19.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated JNDI lookups across multiple components. The commit diff shows removal of direct JNDI context creation (Context/InitialContext) and replacement with GeoTools.jndiLookup(), which likely adds validation. The original patterns in these functions allowed: 1) Unrestricted JNDI resolution 2) No validation of looked-up object types 3) Direct use of attacker-controlled strings for JNDI names. These functions handled security-sensitive operations (datasource configuration, connection testing) with admin privileges but without proper input sanitization, enabling expression language injection and deserialization attacks via malicious JNDI references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** **oS*rv*r s**urity m****nism **n p*r*orm *n un****k** JN*I lookup, w*i** in turn **n ** us** to p*r*orm *l*ss **s*ri*liz*tion *n* r*sult in *r*itr*ry *o** *x**ution. T** s*m* **n **pp*n w*il* *on*i*urin* **t* stor*s wit* **t* sour**s l

Reasoning

T** vuln*r**ility st*ms *rom unv*li**t** JN*I lookups **ross multipl* *ompon*nts. T** *ommit *i** s*ows r*mov*l o* *ir**t JN*I *ont*xt *r**tion (*ont*xt/Initi*l*ont*xt) *n* r*pl***m*nt wit* `**oTools.jn*iLookup()`, w*i** lik*ly ***s v*li**tion. T** o

7.2

Basic Information

Concerned about an active attack path?

CVE-2022-24847: Improper Input Validation in GeoServer

Impact

Patches

Workarounds

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI