CVE-2025-27511
HIGHGeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
Title source: cnaDescription
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7
X_Refsource_Misc x_refsource_misc
https://github.com/geoserver/geoserver/releases/tag/2.27.0
X_Refsource_Misc x_refsource_misc
https://nvd.nist.gov/vuln/detail/cve-2023-27867
X_Refsource_Misc x_refsource_misc
https://osgeo-org.atlassian.net/browse/GEOT-7725
Scores
CVSS v3
7.2
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
CWE-74
Status
published
Products (1)
geoserver/org.geoserver.extension:gs-db2
< 2.27.0
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026