GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection
- When
- Where
- Global (internet)
- Category
- cyber_advisory · maven
## Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE). ## Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. ## Details Authenticated users can access Vector Data Sources page to creating a new data store through db2 jdbc connection, performing JNDI attack due to unrestricted connection parameters, and then achieve RCE with deserialization of untrusted data. ### Remediation This issue has been fixed in this release: https://github.com/geoserver/geoserver/releases/tag/2.27.0. ## References * https://osgeo-org.atlassian.net/browse/GEOT-7725 * https://nvd.nist.gov/vuln/detail/cve-2023-27867
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-11 20:34 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.