CVE-2022-24816
CRITICAL CISA KEV
Published Apr 13, 20224y ago · Modified Jun 17, 20261w ago
10.0 CVSS 3.1
Published Apr 13, 2022 4y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Jun 26, 2024 2y ago
KEV Due Jul 17, 2024 713d overdue
Description
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
CISA Known Exploited Overdue 713d
- Added
- Jun 26, 2024
- Due
- Jul 17, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 1
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| geosolutionsgroup | jai-ext | * | <1.1.22 |
References 3
- github.com https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
- github.com https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816
Remediation
- github.com https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb