Vulnerability Description
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Geosolutionsgroup | Jai-Ext | < 1.1.22 |
Related Weaknesses (CWE)
References
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965Patch
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73Vendor Advisory
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965Patch
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73Vendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-US Government Resource
FAQ
What is CVE-2022-24816?
CVE-2022-24816 is a vulnerability with a CVSS score of 10.0 (CRITICAL). JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as th...
How severe is CVE-2022-24816?
CVE-2022-24816 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-24816?
Check the references section above for vendor advisories and patch information. Affected products include: Geosolutionsgroup Jai-Ext.