Cyber Resilience

CVE-2024-36404

CriticalRCE

Published: 02 July 2024

Published
02 July 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9075 99.6th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36404 is a critical-severity Eval Injection (CWE-95) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

GeoTools is an open source Java library that supplies tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, the library is vulnerable to remote code execution when applications invoke certain functionality that evaluates XPath expressions taken directly from user input. The flaw is tracked as CWE-95 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker can supply a crafted XPath expression over the network and achieve arbitrary code execution on the server, resulting in full compromise of confidentiality, integrity, and availability of the affected application. Exploitation requires that the application expose GeoTools XPath evaluation paths to untrusted input, such as through complex feature-type handling in an application schema datastore.

The project security advisory and associated pull request state that the issue is resolved in the listed releases. Operators can apply the fix by upgrading or, as a temporary measure, by removing the gt-complex jar from the classpath, although this disables XPath-based querying of complex content. Pre-built replacement jars for several earlier releases are also offered on SourceForge.

The EPSS score currently stands at 0.9075 with a recorded peak of 0.9140.

EU & UK References

Vulnerability details

GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user…

more

input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Sourceforge
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References