CVE-2023-35042 Information

Description

GeoServer 2 in some configurations allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request as exploited in the wild in June 2023.

Reference

https://docs.geoserver.org/stable/en/user/services/wps/operations.html#execute https://isc.sans.edu/diary/29936