SCA: security update for org.geoserver:gs-main (GHSA-4pm3-f52j-8ggh)

high Tenable Self-Hosted Container Security Plugin ID 410319

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- GeoServer is an open source software server written in Java that allows users to share and edit geospatial
data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to
perform class deserialization and result in arbitrary code execution. The same can happen while
configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism.
In order to perform any of the above changes, the attack needs to have obtained admin rights and use
either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0,
2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest`
via a firewall and ensure that the GeoWebCache is not remotely accessible. (CVE-2022-24847)

See Also

https://github.com/advisories/GHSA-4pm3-f52j-8ggh

Plugin Details

Severity: High

ID: 410319

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2022-24847

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/22/2022

Vulnerability Publication Date: 4/13/2022

Reference Information

CVE: CVE-2022-24847