{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-36404",
        "ASSIGNER": "security-advisories@github.com",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, and 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')",
                        "cweId": "CWE-95"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "geotools",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "geotools",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "< 29.6"
                                        },
                                        {
                                            "version_affected": "=",
                                            "version_value": ">= 30.0, < 30.4"
                                        },
                                        {
                                            "version_affected": "=",
                                            "version_value": ">= 31.0, < 31.2"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w",
                "refsource": "MISC",
                "name": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
            },
            {
                "url": "https://github.com/geotools/geotools/pull/4797",
                "refsource": "MISC",
                "name": "https://github.com/geotools/geotools/pull/4797"
            },
            {
                "url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea",
                "refsource": "MISC",
                "name": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
            },
            {
                "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
                "refsource": "MISC",
                "name": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
            },
            {
                "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587",
                "refsource": "MISC",
                "name": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
            },
            {
                "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1",
                "refsource": "MISC",
                "name": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-w3pj-wh35-fq8w",
        "discovery": "UNKNOWN"
    },
    "impact": {
        "cvss": [
            {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
            }
        ]
    }
}