CVE-2022-24818 PoC — GeoTools 输入验证错误漏洞

Source

https://github.com/mbadanoiu/CVE-2022-24818

Associated Vulnerability

Title:GeoTools 输入验证错误漏洞 (CVE-2022-24818)
Description:GeoTools是一个开源 Java 库。为地理空间数据提供工具。 GeoTools存在输入验证错误漏洞，该漏洞源于GeoTools库有许多可以执行JNDI查找的数据源，这些数据源用于执行类反序列化并导致任意代码执行。以下产品及版本受到影响：GeoTools 26.4、GeoTools 25.6、GeoTools 24.6。

Description

CVE-2022-24818: Java Deserialization via Unchecked JNDI Lookups in GeoServer and GeoTools

Readme

# CVE-2022-24818: Java Deserialization via Unchecked JNDI Lookups in GeoServer and GeoTools

The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution.

As an example this can happen in GeoServer, but requires admin-level login to be triggered.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x).

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2022-24818/blob/main/GeoServer%20-%20CVE-2022-24818.pdf).

### Additional Resources:

[ysoserial](https://github.com/frohoff/ysoserial)

File Snapshot


 [4.0K]  /data/pocs/f29b2287f6ae8f2a7387da75940818e8a20b3ffe
├── [707K]  GeoServer - CVE-2022-24818.pdf
└── [ 817]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!