US government warns of possible security issue with popular geospatial data platform

The US government has warned its agencies of critical software vulnerabilities being exploited in a top geospatial data platform.

Found by security researcher Steve Ikeoka, the flaws affect the OSGeo GeoServer GeoTools, an open source software server used to share and edit geospatial data.

The US Cybersecurity and Infrastructure Security Agency (CISA) added a new vulnerability, tracked as CVE-2024-36401, and carrying a severity score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog, which means it is being abused by threat actors, and urged them to apply the patch by August 5, 2024.

Remote Code Execution

By custom-tailoring specific inputs, threat actors can abuse the flaws in the software to trigger remote code execution (RCE), it was said.

“Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions,” OSGeo said in a security advisory published with the patch.

The patched versions are 2.23.6, 2.24.4, and 2.25.2, and CISA has given federal agencies until August 5 to update the software or stop using it.

The warning does not state who the threat actors are, nor who the victims are. GeoServer said the flaw is “confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.”

The nature of open-source projects make it impossible to determine how many people might be affected, but we do know that OSGeo, GeoServer, and GeoTools have a large and active user base. The tools are widely used in various industries, including government, academia, and private sector, for geospatial data management, analysis, and visualization. The vibrant communities, frequent contributions, and widespread adoption by prominent organizations all point to their significant and growing usage.

Via TheHackerNews

More from TechRadar Pro

https://cdn.mos.cms.futurecdn.net/uTLwBhC26YCauAq8Swffd8-1200-80.jpg

Source link

Just got an Xbox Series X or S for Christmas? Here are the best 5 accessories to get today

TP-Link and NR routers targeted by worrying new botnet

Just got a PS5 Pro for Christmas? Here are the best five enhanced games to get now

This Mac Mini M4 docking station adds seven ports – and up to 8TB storage – to Apple’s gorgeous mini PC, but I am...

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

‘Heathers’ is still the best dark comedy about high school hell

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

US government warns of possible security issue with popular geospatial data platform

Just got an Xbox Series X or S for Christmas? Here are the best 5 accessories to get today

TP-Link and NR routers targeted by worrying new botnet

Just got a PS5 Pro for Christmas? Here are the best five enhanced games to get now

This Mac Mini M4 docking station adds seven ports – and up to 8TB storage – to Apple’s gorgeous mini PC, but I am...