← Back to CVEs
CVE-2022-24816
CRITICALCISA KEV10.0
Description
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
CVE Details
CVSS v3.1 Score10.0
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published4/13/2022
Last Modified10/24/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorOSGeo
ProductJAI-EXT
Vulnerability NameOSGeo GeoServer JAI-EXT Code Injection Vulnerability
KEV Date Added2024-06-26
Remediation Due Date2024-07-17
Ransomware UseUnknown
Affected Products
geosolutionsgroup:jai-ext
Weaknesses (CWE)
CWE-94CWE-94
References
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb(security-advisories@github.com)
https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx(security-advisories@github.com)
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.