Critical severity9.8NVD Advisory· Published Jun 12, 2023· Updated Jun 17, 2026
CVE-2023-35042
CVE-2023-35042
Description
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in any version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.geoserver:gs-wmsMaven | < 2.18.6 | 2.18.6 |
org.geoserver:gs-wfsMaven | < 2.18.6 | 2.18.6 |
org.geoserver:gs-wmsMaven | >= 2.19.0, < 2.19.6 | 2.19.6 |
org.geoserver:gs-wfsMaven | >= 2.19.0, < 2.19.6 | 2.19.6 |
org.geoserver:gs-wmsMaven | >= 2.20.0, < 2.20.4 | 2.20.4 |
org.geoserver:gs-wfsMaven | >= 2.20.0, < 2.20.4 | 2.20.4 |
org.geoserver:gs-wpsMaven | < 2.18.6 | 2.18.6 |
org.geoserver:gs-wpsMaven | >= 2.19.0, < 2.19.6 | 2.19.6 |
org.geoserver:gs-wpsMaven | >= 2.20.0, < 2.20.4 | 2.20.4 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/geoserver-2.26-communitypkg:apk/chainguard/geoserver-2.26-dockerpkg:apk/chainguard/geoserver-2.27-communitypkg:apk/chainguard/geoserver-2.27-dockerpkg:apk/chainguard/geoserver-2.28-communitypkg:apk/chainguard/geoserver-2.28-dockerpkg:apk/chainguard/geoserver-3.0pkg:maven/org.geoserver/gs-wfspkg:maven/org.geoserver/gs-wmspkg:maven/org.geoserver/gs-wps
< 2.26.4-r0+ 9 more
- (no CPE)range: < 2.26.4-r0
- (no CPE)range: < 2.26.4-r0
- (no CPE)range: < 2.27.3-r0
- (no CPE)range: < 2.27.3-r0
- (no CPE)range: < 2.28.0-r0
- (no CPE)range: < 2.28.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 2.18.6
- (no CPE)range: < 2.18.6
- (no CPE)range: < 2.18.6
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-59x6-g4jr-4hxcghsaADVISORY
- isc.sans.edu/diary/29936nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-35042ghsaADVISORY
- docs.geoserver.org/stable/en/user/services/wps/operations.htmlnvdProductWEB
- geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.htmlghsaWEB
- osgeo-org.atlassian.net/browse/GEOS-10458ghsaWEB
News mentions
0No linked articles in our index yet.