Critical severity9.1NVD Advisory· Published Apr 14, 2022· Updated Jun 17, 2026
CVE-2022-24846
CVE-2022-24846
Description
GeoWebCache is a tile caching server implemented in Java. The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. While in GeoWebCache the JNDI strings are provided via local configuration file, in GeoServer a user interface is provided to perform the same, that can be accessed remotely, and requires admin-level login to be used. These lookup are unrestricted in scope and can lead to code execution. The lookups are going to be restricted in GeoWebCache 1.21.0, 1.20.2, 1.19.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: >= 1.20.0, < 1.20.2
Patches
Vulnerability mechanics
References
1- github.com/GeoWebCache/geowebcache/security/advisories/GHSA-4v22-v8jp-438rnvdThird Party Advisory
News mentions
0No linked articles in our index yet.