7.2

CVE-2025-27511

GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OsgeoGeoserver Version < 2.27.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.58% 0.432
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.2 1.2 5.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
Vendor Advisory
https://github.com/geoserver/geoserver/releases/tag/2.27.0
Product
Release Notes
https://nvd.nist.gov/vuln/detail/cve-2023-27867
Not Applicable
https://osgeo-org.atlassian.net/browse/GEOT-7725
Issue Tracking