Impact
GeoServer’s DB2 DataStore Extension allows an administrator to craft a DB2 JDBC URL that triggers JNDI processing, leading to remote code execution. This flaw represents a deserialization weakness and an injection flaw, for which the CWE identifiers are 502 and 74. The impact is that an attacker who can influence the URL used by the server could execute arbitrary code on the host system, compromising confidentiality, integrity, and availability of the affected GeoServer service.
Affected Systems
The affected product is the GeoServer DB2 DataStore Extension, labeled as org.geoserver.extension:gs-db2. All releases prior to version 2.27.0 are vulnerable; GeoServer version 2.27.0 and later contain the fix.
Risk and Exploitability
The CVSS score of 7.2 marks this as a high‑severity vulnerability, though the EPSS score is not available, indicating the exploitation likelihood is not quantified. Because the exploit requires a specially crafted JDBC URL and administrative access, the practical attack vector is limited to users who have permission to configure or alter the DataStore settings. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits have been confirmed as of the last advisory.
OpenCVE Enrichment
Github GHSA