CVE-2022-24846 - OpenCVE

GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Geoserver	Geowebcache

Configuration 1 [-]

OR	cpe:2.3:a:geoserver:geowebcache::::::::
	cpe:2.3:a:geoserver:geowebcache::::::::

No data.

References

Link	Providers
https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-04-14T21:20:10

Updated: 2024-08-03T04:20:50.666Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24846

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-04-14T22:15:07.890

Modified: 2022-04-22T19:54:17.877

Link: CVE-2022-24846

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "geowebcache", "vendor": "GeoWebCache", "versions": [{"status": "affected", "version": ">= 1.20.0, < 1.20.2"}, {"status": "affected", "version": "< 1.19.3"}]}], "descriptions": [{"lang": "en", "value": "GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-14T21:20:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r"}], "source": {"advisory": "GHSA-4v22-v8jp-438r", "discovery": "UNKNOWN"}, "title": "Unchecked JNDI lookups in GeoWebCache", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24846", "STATE": "PUBLIC", "TITLE": "Unchecked JNDI lookups in GeoWebCache"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "geowebcache", "version": {"version_data": [{"version_value": ">= 1.20.0, < 1.20.2"}, {"version_value": "< 1.19.3"}]}}]}, "vendor_name": "GeoWebCache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20: Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r", "refsource": "CONFIRM", "url": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r"}]}, "source": {"advisory": "GHSA-4v22-v8jp-438r", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:50.666Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24846", "datePublished": "2022-04-14T21:20:10", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:50.666Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:geoserver:geowebcache:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEA44AC8-3C94-423B-B621-4F142347AA96", "versionEndExcluding": "1.19.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:geoserver:geowebcache:*:*:*:*:*:*:*:*", "matchCriteriaId": "43223044-F95E-4A81-9809-13C51CFC36CD", "versionEndExcluding": "1.20.2", "versionStartIncluding": "1.20.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3."}, {"lang": "es", "value": "GeoWebCache es un servidor de cach\u00e9 de azulejos implementado en Java. El mecanismo de cuota de disco de GeoWebCache puede llevar a cabo una b\u00fasqueda JNDI no verificada, que a su vez puede ser usada para llevar a cabo la deserializaci\u00f3n de clases y resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario. Mientras que en GeoWebCache las cadenas JNDI son proporcionadas por medio de un archivo de configuraci\u00f3n local, en GeoServer es proporcionado una interfaz de usuario para llevar a cabo lo mismo, a la que puede accederse de forma remota, y que requiere un inicio de sesi\u00f3n a nivel de administrador para ser usado. Estas b\u00fasquedas son de alcance ilimitado y pueden conllevar a una ejecuci\u00f3n de c\u00f3digo. Las b\u00fasquedas van a ser restringidas en GeoWebCache versiones 1.21.0, 1.20.2, 1.19.3"}], "id": "CVE-2022-24846", "lastModified": "2022-04-22T19:54:17.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-04-14T22:15:07.890", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}]}