Cyber Resilience

CVE-2022-24818

High

Published: 13 April 2022

Published
13 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0824 92.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24818 is a high-severity Improper Input Validation (CWE-20) vulnerability in Geotools Geotools. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GeoTools, an open source Java library for geospatial data, contains multiple data sources that perform unchecked JNDI lookups. These lookups can trigger class deserialization and result in arbitrary code execution when attacker-controlled JNDI names are supplied. The issue is tracked as CVE-2022-24818 with a CVSS 3.1 score of 8.2 and is associated with CWE-20 and CWE-917.

An attacker must possess admin-level credentials to supply a malicious JNDI string through a data-source configuration. Once triggered, the lookup enables remote class loading and full code execution on the server, comparable to the Log4j JNDI vector but gated behind administrative access.

The GeoTools project has released fixes in versions 26.4, 25.6, and 24.6 that restrict JNDI lookups. The accompanying security advisories recommend that organizations unable to upgrade ensure downstream applications never accept remotely supplied JNDI strings.

EPSS for the vulnerability has remained flat at 0.0824 with no material increase after disclosure.

EU & UK References

Vulnerability details

GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result…

more

in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

geotools
geotools
≤ 24.6 · 25.0 — 25.6 · 26.0 — 26.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-20

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References