CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24846 – Unchecked JNDI lookups in GeoWebCache
https://notcve.org/view.php?id=CVE-2022-24846
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3. • https://github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438r • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0CVE-2008-7227
https://notcve.org/view.php?id=CVE-2008-7227
PartialBufferOutputStream2 in GeoServer before 1.6.1 and 1.7.0-beta1 attempts to flush buffer contents even when it is handling an "in memory buffer," which prevents the reporting of a service exception, with unknown impact and attack vectors. PartialBufferOutputStream2 de GeoServer anterior a v1.6.1 y v1.7.0-beta1, intenta renovar los contenidos del búfer incluso cuando está trabajando un "búfer en memoria", esto evita que se muestren las excepciones en este servicio, lo que tiene un impacto y vectores de ataque desconocidos. • http://jira.codehaus.org/browse/GEOS-1747 http://osvdb.org/43266 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •