CVE-2023-35042
Published: 12 June 2023
Summary
CVE-2023-35042 is a critical-severity an unspecified weakness vulnerability in Geoserver Geoserver. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
GeoServer 2 contains a critical remote code execution vulnerability, CVE-2023-35042, that affects the Web Processing Service in some configurations. Attackers can supply a java.lang.Runtime.getRuntime().exec call inside a wps:LiteralData element of a wps:Execute request to run arbitrary commands on the underlying server.
Unauthenticated remote attackers can exploit the flaw over the network to achieve full code execution, compromising confidentiality, integrity, and availability. The issue was observed being exploited in the wild in June 2023, shortly after disclosure, and carries a CVSS 3.1 base score of 9.8.
Vendor statements indicate the problem could not be reproduced in any supported version, while public references focus on WPS Execute documentation and incident reporting from SANS ISC. The associated EPSS score reached 0.3428, a material rise that signals emerging exploitation interest after the CVE became public.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1696
Vulnerability details
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in…
more
any version.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.