KEVIntel
Back to KEVs
9.8
CVSS
Critical

CVE-2023-35042

PUBLISHED

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData...

Exploited in the wild Remote Low complexity No user interaction
Vendor
GeoServer
Product
GeoServer
Published
Jun 12, 2023
EPSS

Description

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version.

java

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2023-06-12 00:00:00 UTC · Source

SSVC decision points

Exploitation
none
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CVE Jun 12, 2023

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel