GHSA-g628-r368-6vh7HighCVSS 7.2

GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

Published
June 11, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE).

Impact

If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code.

Details

Authenticated users can access Vector Data Sources page to creating a new data store through db2 jdbc connection, performing JNDI attack due to unrestricted connection parameters, and then achieve RCE with deserialization of untrusted data.

Remediation

This issue has been fixed in this release: https://github.com/geoserver/geoserver/releases/tag/2.27.0.

References

  • https://osgeo-org.atlassian.net/browse/GEOT-7725
  • https://nvd.nist.gov/vuln/detail/cve-2023-27867

🎯 Affected products1

  • maven/org.geoserver.extension:gs-db2:< 2.27.0

🔗 References (3)