GHSA-g628-r368-6vh7

Suggest an improvement
Source
https://github.com/advisories/GHSA-g628-r368-6vh7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g628-r368-6vh7/GHSA-g628-r368-6vh7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g628-r368-6vh7
Aliases
  • CVE-2025-27511
Published
2026-06-11T20:34:00Z
Modified
2026-06-11T20:45:12.559681675Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
Details

Summary

Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE).

Impact

If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code.

Details

Authenticated users can access Vector Data Sources page to creating a new data store through db2 jdbc connection, performing JNDI attack due to unrestricted connection parameters, and then achieve RCE with deserialization of untrusted data.

Remediation

This issue has been fixed in this release: https://github.com/geoserver/geoserver/releases/tag/2.27.0.

References

  • https://osgeo-org.atlassian.net/browse/GEOT-7725
  • https://nvd.nist.gov/vuln/detail/cve-2023-27867
Database specific 
{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-11T20:34:00Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-502",
        "CWE-74"
    ]
}
References

Affected packages

Maven / org.geoserver.extension:gs-db2

Package

Name
org.geoserver.extension:gs-db2
View open source insights on deps.dev
Purl
pkg:maven/org.geoserver.extension/gs-db2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.27.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-g628-r368-6vh7/GHSA-g628-r368-6vh7.json"