7.2
CVE-2025-27511
- EPSS 0.58%
- Veröffentlicht 18.06.2026 14:23:01
- Zuletzt bearbeitet 24.06.2026 05:17:25
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.58% | 0.432 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
https://github.com/geoserver/geoserver/releases/tag/2.27.0
https://nvd.nist.gov/vuln/detail/cve-2023-27867
https://osgeo-org.atlassian.net/browse/GEOT-7725