发布于3月6日3月6日 Members Geoserver unauthenticated Remote Code Execution Disclosed 07/01/2024 Created 07/12/2024 Description GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system. Author(s) h00die-gr3y <[email protected]> jheysel-r7 Steve Ikeoka Valentin Lobstein a.k.a chocapikk Platform Linux,Unix,Windows Architectures cmd Development Source Code History
参与讨论
你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。