Remote Code Execution with XStream

Description

Hello GeoServer Team,

I'd like to report to you a remote code execution vulnerability.
I found it during a penetration test for a customer this week.

The the attached requests executes" /usr/bin/xterm" on the target

The problem is that your REST implementation is using Xstream that is configured in an insecure way.

Please let me know if you have any questions.

Thank you,
Matthias

Environment

None

Status

Assignee

Unassigned

Reporter

Matthias Kaiser

Triage

None

Fix versions

Affects versions

2.7.1.1

Components

Priority

Highest
Configure