https://github.com/mbadanoiu/cve-2022-24818

CVE-2022-24818: Java Deserialization via Unchecked JNDI Lookups in GeoServer and GeoTools
https://github.com/mbadanoiu/cve-2022-24818

0-day cve cve-2022-24818 cves deserialization remote-code-execution

Last synced: 4 months ago
JSON representation

CVE-2022-24818: Java Deserialization via Unchecked JNDI Lookups in GeoServer and GeoTools

• Host: GitHub
• URL: https://github.com/mbadanoiu/cve-2022-24818
• Owner: mbadanoiu
• Created: 2024-04-01T13:06:31.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2024-04-01T16:45:47.000Z (about 1 year ago)
• Last Synced: 2025-01-12T09:29:28.495Z (6 months ago)
• Topics: 0-day, cve, cve-2022-24818, cves, deserialization, remote-code-execution
• Homepage:
• Size: 583 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# CVE-2022-24818: Java Deserialization via Unchecked JNDI Lookups in GeoServer and GeoTools

The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution.

As an example this can happen in GeoServer, but requires admin-level login to be triggered.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x).

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2022-24818/blob/main/GeoServer%20-%20CVE-2022-24818.pdf).

### Additional Resources:

[ysoserial](https://github.com/frohoff/ysoserial)