CVE-2022-24816

OSGeo GeoServer JAI-EXT Code Injection Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

JAI-EXT es un proyecto de código abierto cuyo objetivo es ampliar la API de Java Advanced Imaging (JAI). Los programas que permiten el suministro de scripts Jiffle por petición de red pueden conllevar a una Ejecución de Código Remota, ya que el script Jiffle es compilado en código Java por medio de Janino, y es ejecutado. En particular, esto afecta al proyecto GeoServer de la versión inferior. La versión 1.2.22 contendrá un parche que deshabilita la capacidad de inyectar código malicioso en el script resultante. Los usuarios que no puedan actualizar pueden anular la capacidad de compilar scripts Jiffle desde la aplicación final, al remover janino-x.y.z.jar del classpath

OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-13 CVE Published
2024-06-26 Exploited in Wild
2024-07-17 KEV Due Date
2024-08-03 CVE Updated
2024-11-17 EPSS Updated
---------- First Exploit

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb	2024-07-16

URL	Date	SRC
https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx	2024-07-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Geosolutionsgroup Search vendor "Geosolutionsgroup"		Jai-ext Search vendor "Geosolutionsgroup" for product "Jai-ext"				< 1.1.22 Search vendor "Geosolutionsgroup" for product "Jai-ext" and version " < 1.1.22"		-		Affected