CVE-2022-24846

GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.

CVSS v3 7.2 HIGH
CVSS v2.0 6.5 MEDIUM

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:geoserver:geowebcache::::::::
	cpe:2.3:a:geoserver:geowebcache::::::::

History

22 Apr 2022, 19:54

Type	Values Removed	Values Added
CWE	~~CWE-20~~	CWE-502
References	~~(CONFIRM) https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r -~~	(CONFIRM) https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 6.5 v3 : 7.2
First Time		Geoserver Geoserver geowebcache
CPE		cpe:2.3:a:geoserver:geowebcache::::::::

14 Apr 2022, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-14 22:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-24846

Mitre link : CVE-2022-24846

CVE.ORG link : CVE-2022-24846

JSON object : View

Products Affected

geoserver

geowebcache

CWE

CWE-502

Deserialization of Untrusted Data

CWE-20

Improper Input Validation

{"id": "CVE-2022-24846", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2022-04-14T22:15:07.890", "references": [{"url": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3."}, {"lang": "es", "value": "GeoWebCache es un servidor de cach\u00e9 de azulejos implementado en Java. El mecanismo de cuota de disco de GeoWebCache puede llevar a cabo una b\u00fasqueda JNDI no verificada, que a su vez puede ser usada para llevar a cabo la deserializaci\u00f3n de clases y resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario. Mientras que en GeoWebCache las cadenas JNDI son proporcionadas por medio de un archivo de configuraci\u00f3n local, en GeoServer es proporcionado una interfaz de usuario para llevar a cabo lo mismo, a la que puede accederse de forma remota, y que requiere un inicio de sesi\u00f3n a nivel de administrador para ser usado. Estas b\u00fasquedas son de alcance ilimitado y pueden conllevar a una ejecuci\u00f3n de c\u00f3digo. Las b\u00fasquedas van a ser restringidas en GeoWebCache versiones 1.21.0, 1.20.2, 1.19.3"}], "lastModified": "2022-04-22T19:54:17.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:geoserver:geowebcache:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EEA44AC8-3C94-423B-B621-4F142347AA96", "versionEndExcluding": "1.19.3"}, {"criteria": "cpe:2.3:a:geoserver:geowebcache:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "43223044-F95E-4A81-9809-13C51CFC36CD", "versionEndExcluding": "1.20.2", "versionStartIncluding": "1.20.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}