← Retour aux CVEs
CVE-2022-24816
CRITICALCISA KEV10.0
Description
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
Details CVE
Score CVSS v3.110.0
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/13/2022
Derniere modification10/24/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurOSGeo
ProduitJAI-EXT
Nom vulnerabiliteOSGeo GeoServer JAI-EXT Code Injection Vulnerability
Date ajout KEV2024-06-26
Date limite remediation2024-07-17
Utilise dans ransomwareUnknown
Produits affectes
geosolutionsgroup:jai-ext
Faiblesses (CWE)
CWE-94CWE-94
References
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb(security-advisories@github.com)
https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx(security-advisories@github.com)
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.