CVE-2022-24816 – OSGeo GeoServer JAI-EXT Code Injection Vulnerability

https://notcve.org/view.php?id=CVE-2022-24816

13 Apr 2022 — JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle sc... • https://github.com/c1ph3rbyt3/CVE-2022-24816 • CWE-94: Improper Control of Generation of Code ('Code Injection') •