← back
CVE-2025-27511

GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

CVSS 7.2 HIGHEPSS 0.6%CWE-502CWE-74
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
geoserver · org.geoserver.extension:gs-db2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/geoserver/geoserver/releases/tag/2.27.0https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7https://nvd.nist.gov/vuln/detail/cve-2023-27867https://osgeo-org.atlassian.net/browse/GEOT-7725