Description

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version.

Remediation

References

CVE-2023-35042

Related Vulnerabilities

Jenkins Improper Authentication Vulnerability (CVE-2018-1999045)

WordPress Plugin Add Custom Link to WordPress Admin Bar Cross-Site Scripting (1.0)

Family Connections Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2009-2010)

WordPress Plugin One Click Upsell Funnel for WooCommerce Unspecified Vulnerability (2.0.0)

WordPress Plugin Contact Form 7 Database Multiple Vulnerabilities (1.1)

Severity

Critical

Classification

CVE-2023-35042 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities