GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack through specially crafted DB2 jdbc url leading to to Remote Code Execution (RCE). Version 2.27.0 fixes the issue.

Affected Products

Vendor	Product	Versions
geoserver	org.geoserver.extension:gs-db2	< 2.27.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	geoserver	cert_advisory	90%

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-g628-r368-6vh7(x_refsource_CONFIRM)
https://github.com/geoserver/geoserver/releases/tag/2.27.0(x_refsource_MISC)
https://nvd.nist.gov/vuln/detail/cve-2023-27867(x_refsource_MISC)
https://osgeo-org.atlassian.net/browse/GEOT-7725(x_refsource_MISC)

Related News (2 articles)

Tier C

VulDB9d ago

CVE-2025-27511 | geoserver org..extension:gs-db2 up to 2.26.x deserialization (GHSA-g628-r368-6vh7)

→ No new info (linked only)

Tier B

BSI Advisories16d ago

[NEU] [mittel] GeoServer: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

org.geoserver.extension:gs-db2@2.27.0

CWECWE-502, CWE-74

PublishedJun 11, 2026

Last enriched9d agov2

GeoServer DB2 DataStore Extension has a JNDI Vulnerability via Store Connection

Description

Affected Products

Also Affects

References

Related News (2 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History