Severity: critical (9.8)
First published: Tue Sep 19 2023
Last modified: Tue Sep 19 2023
### Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. ### Patches Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. ### Workarounds Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath. ### References None.
Programs using jt-jiffle and allowing Jiffle script to be provided via network request are susceptible to Remote Code Execution.
The downstream GeoServer project is particularly affected by this vulnerability.
Update the jt-jiffle and jt-jiffle-language packages to version 1.1.23 or higher.
More information about CVE-2022-24816 can be found in the GitHub security advisory and NVD NIST vulnerability report.
The severity rating of CVE-2022-24816 is critical with a score of 9.8.