Severity: critical (9.8)

First published: Tue Sep 19 2023

Last modified: Tue Sep 19 2023

CWE: 94

### Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. ### Patches Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. ### Workarounds Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath. ### References None.

Any of

  • maven/it.geosolutions.jaiext.jiffle:jt-jiffle-language
    fixed in: 1.1.22
  • maven/it.geosolutions.jaiext.jiffle:jt-jiffle
    fixed in: 1.1.22


  • What is the impact of CVE-2022-24816?

    Programs using jt-jiffle and allowing Jiffle script to be provided via network request are susceptible to Remote Code Execution.

  • Which project is particularly affected by CVE-2022-24816?

    The downstream GeoServer project is particularly affected by this vulnerability.

  • How can I fix CVE-2022-24816?

    Update the jt-jiffle and jt-jiffle-language packages to version 1.1.23 or higher.

  • Where can I find more information about CVE-2022-24816?

    More information about CVE-2022-24816 can be found in the GitHub security advisory and NVD NIST vulnerability report.

  • What is the severity rating of CVE-2022-24816?

    The severity rating of CVE-2022-24816 is critical with a score of 9.8.

SecAlerts Pty Ltd.
Fortitude Valley,
QLD 4006, Australia
© Copyright 2023 - ABN: 70 645 966 203, ACN: 645 966 203