CVE-2022-24818

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24818
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24818.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-24818
Related
  • GHSA-jvh2-668r-g75x
Published
2022-04-13T21:15:07Z
Modified
2025-01-14T21:20:13Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.

References

Affected packages

Git / github.com/geotools/geotools

Affected ranges

Type
GIT
Repo
https://github.com/geotools/geotools
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed