CVE-2022-24818
- Source
- https://cve.org/CVERecord?id=CVE-2022-24818
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24818.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-24818
- Aliases
-
- GHSA-jvh2-668r-g75x
- Published
- 2022-04-13T20:55:12Z
- Modified
- 2026-04-13T11:28:32.353561Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Unchecked JNDI lookups in GeoTools
- Details
-
GeoTools is an open source Java library that provides tools for geospatial data. The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. Similar to the Log4J case, the vulnerability can be triggered if the JNDI names are user-provided, but requires admin-level login to be triggered. The lookups are now restricted in GeoTools 26.4, GeoTools 25.6, and GeoTools 24.6. Users unable to upgrade should ensure that any downstream application should not allow usage of remotely provided JNDI strings.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24818.json", "cwe_ids": [ "CWE-20" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/geotools/geotools
Affected ranges
- Type
- GIT
- Repo
- https://github.com/geotools/geotools
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedFixed
- Database specific
{ "source": [ "CPE_FIELD", "REFERENCES" ], "cpe": "cpe:2.3:a:geotools:geotools:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "fixed": "24.6" }, { "introduced": "25.0" }, { "fixed": "25.6" }, { "introduced": "26.0" }, { "fixed": "26.4" } ] }
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24818.json"
vanir_signatures_modified
"2026-04-13T11:28:32Z"
vanir_signatures
[
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "createDataSource",
"file": "modules/library/jdbc/src/main/java/org/geotools/jdbc/JDBCJNDIDataStoreFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-00f9b829",
"signature_type": "Function",
"digest": {
"length": 873.0,
"function_hash": "275800312213311213907500290323509805335"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "AbstractEpsgFactory",
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/epsg/AbstractEpsgFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-1f81b313",
"signature_type": "Function",
"digest": {
"length": 976.0,
"function_hash": "43992556460118793965795708473286672404"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/metadata/src/test/java/org/geotools/util/factory/GeoToolsTest.java"
},
"deprecated": false,
"id": "CVE-2022-24818-235653af",
"signature_type": "Line",
"digest": {
"line_hashes": [
"320776908078840278562597292281846411309",
"197470566298213138177638794690794814421",
"243790959677029835508462431377058008201",
"208994396375442650921201999988872879710",
"79263672038990647316016336085691318040",
"302312519362780387570931058838700238797",
"247182942546615911816849345212576712746",
"154269985394226347176255812147861183560",
"323130073498670657141272883268279915458",
"157503990013798792540861676676489877438",
"323899114712598204212455810856555947863",
"73139223143208049135141552692363937616",
"321957063483891121427655046794649531981",
"56146822736227129563643461851034607314",
"104682102384500627487010474004557246802",
"142232306242371277614388408078367361852",
"304271045253686497014883032353379819370",
"104106354608178294194535608963045955291"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "isAvailable",
"file": "modules/library/jdbc/src/main/java/org/geotools/data/jdbc/datasource/JNDIDataSourceFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-2cddf751",
"signature_type": "Function",
"digest": {
"length": 111.0,
"function_hash": "135556739719907685263024600773178325084"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/jdbc/src/main/java/org/geotools/data/jdbc/datasource/JNDIDataSourceFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-42eabe2e",
"signature_type": "Line",
"digest": {
"line_hashes": [
"41338478385956462649395978835544203336",
"66209328906742986954165953855661983715",
"51582191850363020362240629532620643564",
"290031466391790968975333306429278459094",
"306072431899030606063248524426096734112",
"278895562905120741477615817767317574463",
"75816264216494853048066315516829655261",
"190782912750249981252870805520408675274",
"175521015776145498503837314915150265584",
"160879807003976044217302093862096455149",
"292358466290932686054295082742404339110",
"335391923332883398951730313256478179123"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/AbstractEpsgMediator.java"
},
"deprecated": false,
"id": "CVE-2022-24818-4630e796",
"signature_type": "Line",
"digest": {
"line_hashes": [
"288377962679490883052370204513503590546",
"282520356061942246220037629236291067292",
"314734615822363924459657210586935545943",
"116808566340964411312831975886110626431",
"97647031626488223004455023342426338993",
"76358337431880035896412765496848183878",
"7199773008951825777984392225234493843",
"160121139444603163162554471736002394232",
"190750265842756401743730035448325175402",
"196420163264460981665428659783466546958",
"67446760854361590065101843468557379856"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/jdbc/src/main/java/org/geotools/jdbc/JDBCJNDIDataStoreFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-4c8f13df",
"signature_type": "Line",
"digest": {
"line_hashes": [
"95897182011480528598917928761865074046",
"37638859435015021897098935510843092101",
"312398756923741425756871845808617714669",
"209335123679999880386953732588283084927",
"121754198194839761377222735947879016880",
"206766373133572994738062730812510448956",
"154419998476310785588883416367263201898",
"233284925849353970313731053168066482405",
"36013696061426630376850042891228758151",
"238679875113140782431056777314817360071",
"235591225001688623225874856518934896654",
"282404325385918103758599543711252396463",
"333442928451505600760615499609816394485",
"117866783851457133534242946842665633110",
"180627581686196384923110644478452846088",
"201138225991073308134551931139600067162",
"290529614955164463551294601339514226533",
"133476686817482565555300129677933268587",
"112818157293243040098535956501935309671",
"250679831432219378908447392225113415130",
"306072431899030606063248524426096734112",
"278895562905120741477615817767317574463",
"75816264216494853048066315516829655261",
"36583096607462820021501483574051567997",
"164614626948108004180074889971669430135",
"39559049594280860449480095036106202694",
"28028384773025694676262335003644841385",
"209540420578694369937829668346363955767",
"233060521308750591591456710396145985450"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/metadata/src/test/java/org/geotools/util/factory/FactoryRegistryTest.java"
},
"deprecated": false,
"id": "CVE-2022-24818-594f6fc8",
"signature_type": "Line",
"digest": {
"line_hashes": [
"290334910335120965550068203163744571126",
"10402903922861015062799136792234267901",
"267957388691246245083267536866903886176"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "createBackingStore0",
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/epsg/ThreadedEpsgFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-6b43f513",
"signature_type": "Function",
"digest": {
"length": 1008.0,
"function_hash": "105127833441978138591005354212105029357"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/epsg/AbstractEpsgFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-7ba568e9",
"signature_type": "Line",
"digest": {
"line_hashes": [
"195467285464327209345598402057424498448",
"13781244607337679736313850909067888916",
"225878136780733428313436380223099195198",
"12843593014074445604133737483113245373"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "PGRasterConfig",
"file": "modules/unsupported/postgis-raster/src/main/java/org/geotools/gce/pgraster/PGRasterConfig.java"
},
"deprecated": false,
"id": "CVE-2022-24818-7ef5e9d3",
"signature_type": "Function",
"digest": {
"length": 2748.0,
"function_hash": "235099210637155025253732078294899888909"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "lookupDataSource",
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/AbstractEpsgMediator.java"
},
"deprecated": false,
"id": "CVE-2022-24818-84fb6ea8",
"signature_type": "Function",
"digest": {
"length": 488.0,
"function_hash": "252448093879672993961180078699021564858"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/metadata/src/main/java/org/geotools/util/factory/GeoTools.java"
},
"deprecated": false,
"id": "CVE-2022-24818-8b3548af",
"signature_type": "Line",
"digest": {
"line_hashes": [
"177737789067382856795362128164302114981",
"60240063525251842709566075512709844302",
"141046411725894996260250826115460471176",
"5425787628930063658256436245970101991",
"152443797664975098461019443481296804983",
"97226943618845090324603343889936139373",
"213070139971808995082162274827627921930",
"125280163914169626575217809374118906008",
"40464450649354710671492777649932493157",
"257125503197379357322638576115730938602",
"192027951794086365042202387258072508573",
"253624127198839867072464859692268252824",
"211272050390246707196570348344287834527",
"60095635699910511793249109781214136796",
"103509340244622304274981384387235400054",
"65430495045179056649562048256460895779",
"2417390765557160704643171865113772382",
"55572008243602478728916989247892572217",
"161123290232513974707618203316035175099",
"328588034383031934762510664537615763716",
"81323717010064763955726203959088005988",
"146899898276238826689844469805711584662",
"2000681568605899978614416080131032472",
"85573598244435503922265747145817277635",
"216300742473425026581134320276539828432",
"280020188580274760306132206482356737045",
"127119457437173331034671363539209457641",
"228115694284227051766210223399276634488",
"43618912311201960463265032900333250038",
"77703234674931755837971907759585810731",
"286887568861103862189856833628227952229",
"241847585254573829419944675186768519717",
"275585318012203219355355960716229381862",
"272823921458329896957677046794133723262",
"37227520680529204108839553499994092864",
"265805362980254723703167704027708225339",
"145598524645585429807488925063755449520",
"318056239483645676218292209462069242625",
"67654016083073249715547046447365594843",
"121001279714045832562790400760692064044",
"42558301207005126726325782865544796230",
"103323454965433478294949176556748646013",
"276602200488020386194664168260428954161"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/unsupported/postgis-raster/src/main/java/org/geotools/gce/pgraster/PGRasterConfig.java"
},
"deprecated": false,
"id": "CVE-2022-24818-9f87d207",
"signature_type": "Line",
"digest": {
"line_hashes": [
"318731052868426281680923369138240187426",
"11789749648504388022279498695021623844",
"244409709578507379723475879065262636324",
"229547726592651823601403483437827853234"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "createDataSource",
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/epsg/ThreadedEpsgFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-a04e0301",
"signature_type": "Function",
"digest": {
"length": 323.0,
"function_hash": "282571639538701426039503706963472666338"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "isAvailable",
"file": "modules/library/jdbc/src/main/java/org/geotools/jdbc/JDBCJNDIDataStoreFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-aaf2af0d",
"signature_type": "Function",
"digest": {
"length": 117.0,
"function_hash": "204153004638617683575463516279177457417"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "getInitialContext",
"file": "modules/library/metadata/src/main/java/org/geotools/util/factory/GeoTools.java"
},
"deprecated": false,
"id": "CVE-2022-24818-bbd0dc4f",
"signature_type": "Function",
"digest": {
"length": 85.0,
"function_hash": "56366454721582668778943584307051679512"
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"file": "modules/library/referencing/src/main/java/org/geotools/referencing/factory/epsg/ThreadedEpsgFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-c96d1cb7",
"signature_type": "Line",
"digest": {
"line_hashes": [
"196386991214627511007277243054677041698",
"156530108635419218906044024376579970174",
"21515824686189153102896757508818422542",
"244806703122759061823201679862182322938",
"339049604866915587291161166246525554786",
"28807753171722428913590026033199832300",
"263817764148599536296642021460661974484",
"167831674410441755776590895394356105062",
"24072450802343129293210113010124126997",
"250713270013064375121107272390468129528",
"271182121636397420395482536583494046547",
"288197859664543497947596086951956104272",
"256700314387250060992424541610564018413",
"12161716479790984223482134831652690068",
"139978884357116004284810791076073917709",
"193591884947249806035806878797971605230",
"50654299692668399810101107481191691153",
"328170905722997371045011833926574357783",
"232448163203843549253107948194635061716",
"221945132076360274940336064557763012092",
"161365961951200405014016619781890196173",
"199418950611255029422247080709657146754",
"179710394149533347612724323033847694070",
"853093228011098403674442077326046879",
"306463854038694018656848210361440934279",
"105621465937215121384196208539149734413",
"295023558263161234850564473126418689028",
"71287110408275879317343269015845809347",
"4934132466788756131775080858409724163",
"14832240156973846830959263608158920864",
"32253893471543965441918759623894850762",
"210807525817066363240799941499191647506",
"65003461053678116211570419260872019996",
"292097403667612638905662657304903899856",
"266177729816403651369700887745641379761",
"92308760494043168414094347265919129280",
"215394207770414571890090733921657218454",
"223069191518730752503078946260678001100",
"278442685147417650533050163686548801131",
"99526095524693176005239483030914318991",
"232760427046396487311955790287924598748",
"312203700075998298023821174230643635117",
"87666799150430142857364665867072799383",
"132458209432667419545170620544458427465",
"50281617881835104654290500561786335982",
"265177117291022268847486055594385540225",
"139464210431115172545822727847374759690",
"125088874210061546997339628291438100280",
"166657507866607850312446046242439608553",
"118187276308990340157240634992479022125",
"44162427457363223151664827663999816940",
"130500338227967232023204126096981636059",
"57272285035587927490448213015227403301",
"241158001927801173708005230687834564472",
"176270149898194852583883428406134435437"
],
"threshold": 0.9
}
},
{
"signature_version": "v1",
"source": "https://github.com/geotools/geotools/commit/4f70fa3234391dd0cda883a20ab0ec75688cba49",
"target": {
"function": "createNewDataSource",
"file": "modules/library/jdbc/src/main/java/org/geotools/data/jdbc/datasource/JNDIDataSourceFactory.java"
},
"deprecated": false,
"id": "CVE-2022-24818-ccba7796",
"signature_type": "Function",
"digest": {
"length": 287.0,
"function_hash": "251567920269504623559325959219985117651"
}
}
]