CVE-2025-27511
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| geoserver | org.geoserver.extension:gs-db2 | < 2.27.0 | affected |
Weaknesses
- CWE-502: CWE-502: Deserialization of Untrusted Data
- CWE-74: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
- https://github.com/geoserver/geoserver/releases/tag/2.27.0
- https://nvd.nist.gov/vuln/detail/cve-2023-27867
- https://osgeo-org.atlassian.net/browse/GEOT-7725
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.