VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 13, 2022· Updated Apr 23, 2025

Unchecked JNDI lookups in GeoTools

CVE-2022-24818

Description

GeoTools library has unchecked JNDI lookups exploitable for arbitrary code execution when user-provided JNDI names are used, fixed in versions 26.4, 25.6, and 24.6.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GeoTools library has unchecked JNDI lookups exploitable for arbitrary code execution when user-provided JNDI names are used, fixed in versions 26.4, 25.6, and 24.6.

Vulnerability

The GeoTools library (versions prior to 26.4, 25.6, and 24.6) contains multiple data sources that can perform unchecked JNDI lookups. This vulnerability, similar to the Log4J case, allows an attacker to trigger class deserialization when JNDI names are user-provided. However, the attack requires admin-level login to be triggered. The affected versions are all versions before the patched releases: GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6 [1][2].

Exploitation

An attacker needs to have admin-level access to a downstream application (such as GeoServer) to provide a malicious JNDI string via the user interface or REST configuration. No further authentication is required beyond that admin access. The attack does not require user interaction if the admin is tricked or if the vulnerability is reached through legitimate but attacker-controlled input. The exact steps include: an attacker with admin credentials supplies a crafted JNDI name (e.g., with an LDAP or other scheme), which is then looked up by GeoTools, leading to deserialization of remote classes and potential arbitrary code execution [1][2].

Impact

Successful exploitation results in arbitrary code execution (RCE) on the server running the downstream application. This gives the attacker full control over the affected system, including the ability to read, modify, or delete data, install malware, or pivot to other systems. The compromise occurs at the privilege level of the application process [1][2].

Mitigation

The vulnerability is fixed in GeoTools versions 26.4, 25.6, and 24.6 (published 2022-04-13). Users should upgrade to these patched versions immediately. The fix restricts JNDI lookups to only allow the java scheme or no scheme, rejecting other schemes like LDAP [1][2]. For users unable to upgrade, a workaround is to ensure that downstream applications (e.g., GeoServer) do not allow usage of remotely provided JNDI strings; specifically, make the GUI and REST configuration unreachable from remote hosts [2].

References
  1. [GEOT-7115] Streamline JNDI lookups · geotools/geotools@4f70fa3
  2. Unchecked JNDI lookups in GeoTools

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Geotools/Geotoolsllm-fuzzy2 versions
    <26.4, <25.6, <24.6+ 1 more
    • (no CPE)range: <26.4, <25.6, <24.6
    • (no CPE)range: >= 26.0, < 26.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The library performs unchecked JNDI lookups on user-provided names, enabling deserialization and arbitrary code execution."

Attack vector

An attacker can trigger this vulnerability by providing a malicious JNDI name. This requires admin-level login to be effective. The vulnerability is similar to the Log4J case, where JNDI names are user-controlled and lead to code execution [ref_id=1].

Affected code

The vulnerability lies within the JNDI lookup functionality of the GeoTools library. Specifically, the `GeoTools.java` file has been modified to include a `jndiValidator` and a `jndiLookup` method. The `getInitialContext` method has been deprecated in favor of the new `jndiLookup` method [ref_id=1].

What the fix does

The patch introduces a JNDI name validator, `DEFAULT_JNDI_VALIDATOR`, which restricts lookups to names without a scheme or those using the `java` scheme. This prevents the lookup of arbitrary remote JNDI resources, thereby mitigating the risk of deserialization and code execution. The validator can be customized via `setJNDINameValidator` [ref_id=1].

Preconditions

  • authAdmin-level login is required to trigger the vulnerability.
  • inputThe JNDI name must be user-provided.

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.