CVE-2025-27511

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

geoserver / org.geoserver.extension:gs-db2< 2.27.0 – < 2.27.0

References

VENDOR_ADVISORYhttps://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
PATCHhttps://github.com/geoserver/geoserver/releases/tag/2.27.0
CONFIRMhttps://nvd.nist.gov/vuln/detail/cve-2023-27867
MISChttps://osgeo-org.atlassian.net/browse/GEOT-7725