Login Sign Up

CVE-2024-36404

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in GeoTools allows remote code execution when applications process user-supplied XPath expressions. Attackers can execute arbitrary code on affected systems. Applications using GeoTools for geospatial data processing with XPath evaluation functionality are at risk.

💻 Affected Systems

Products:
  • GeoTools
Versions: All versions prior to 31.2, 30.4, and 29.6
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that use GeoTools XPath expression evaluation with user input. Application schema datastore functionality requires this feature.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands, access sensitive data, and pivot to other systems.

🟠

Likely Case

Application compromise leading to data theft, service disruption, or lateral movement within the network.

🟢

If Mitigated

Limited impact if input validation prevents malicious XPath expressions or if affected functionality is disabled.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user input to reach XPath evaluation functions. Similar to CVE-2022-41852 exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 31.2, 30.4, or 29.6

Vendor Advisory: https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

Restart Required: Yes

Instructions:

1. Update GeoTools dependency to version 31.2, 30.4, or 29.6. 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application services.

🔧 Temporary Workarounds

Remove gt-complex jar

all

Disables XPath expression evaluation functionality to prevent exploitation

Remove gt-complex-*.jar from application classpath or dependency management

Use patched jar from SourceForge

all

Download and use drop-in replacement jars for specific versions

Download from SourceForge and replace existing GeoTools jars

🧯 If You Can't Patch

  • Implement strict input validation to reject or sanitize XPath expressions from user input
  • Disable or restrict access to functionality using XPath evaluation

🔍 How to Verify

Check if Vulnerable:

Check GeoTools version in application dependencies. If using versions prior to 31.2, 30.4, or 29.6 and using XPath evaluation with user input, system is vulnerable.

Check Version:

Check pom.xml for <geotools.version> or run: java -cp geotools-*.jar org.geotools.Version

Verify Fix Applied:

Verify GeoTools version is 31.2, 30.4, or 29.6 in application dependencies and gt-complex jar is not present if using workaround.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XPath expression patterns
  • Java process spawning unexpected child processes
  • Errors in XPath evaluation

Network Indicators:

  • Outbound connections from application to unexpected destinations
  • Command and control traffic patterns

SIEM Query:

source="application.logs" AND ("XPath" OR "gt-complex") AND (error OR exception)

📊 Metadata

CVE ID: CVE-2024-36404
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-95
Published: July 2, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36404, you might also want to check these:

CVE-2025-68271 10.0

OpenC3 COSMOS versions 5.0.0 through 6.10.1 contain a critical remote code execution vulnerability i...

Same vulnerability type (CWE-95)
CVE-2025-55727 10.0

CVE-2025-55727 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-95)
CVE-2025-54322 10.0

CVE-2025-54322 is an unauthenticated remote code execution vulnerability in Xspeeder SXZOS that allo...

Same vulnerability type (CWE-95)