SecurityWeek reports that the Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog to include a critical GeoServer flaw, tracked as CVE-2024-36401, urging federal agencies to remediate the bug by August 5.
Such a vulnerability, which arose from the incorrect application of XPath evaluation and could be leveraged to facilitate remote code execution across all GeoServer implementations, has been addressed as part of updates that also remediated another critical remote code execution issue related to the assessment of user-supplied XPath expressions, tracked as CVE-2024-36404. While there has been no reported exploitation of CVE-2024-36401 before the CISA alert, organizations have been advised to implement the released updates to prevent potential compromise instead of removing the 'gt-complex-x.y.jar' file as a workaround, which could hinder the functionality of GeoServer. The development comes weeks after the inclusion of an earlier GeoServer bug in the CISA's KEV catalog.