Logo
vuln-group

GHSA-v92f-jx6p-73rx

Severity: critical (9.8)

First published: Tue Sep 19 2023

Last modified: Tue Sep 19 2023

CWE: 94

### Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. ### Patches Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. ### Workarounds Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath. ### References None.

Any of

  • maven/it.geosolutions.jaiext.jiffle:jt-jiffle-language
    <1.1.22
    fixed in: 1.1.22
  • maven/it.geosolutions.jaiext.jiffle:jt-jiffle
    <1.1.22
    fixed in: 1.1.22

FAQ

  • What is the impact of GHSA-v92f-jx6p-73rx vulnerability?

    Programs using jt-jiffle and allowing Jiffle script to be provided via network request are susceptible to a Remote Code Execution.

  • Which projects are affected by GHSA-v92f-jx6p-73rx vulnerability?

    This vulnerability affects the downstream GeoServer project.

  • How can I patch the GHSA-v92f-jx6p-73rx vulnerability?

    Upgrade to version 1.1.22 of jt-jiffle or jt-jiffle-language.

  • What is the severity of GHSA-v92f-jx6p-73rx vulnerability?

    The severity of this vulnerability is critical with a CVSS score of 9.8.

  • What is the CWE ID of GHSA-v92f-jx6p-73rx vulnerability?

    The CWE ID of this vulnerability is 94.

SecAlerts Pty Ltd.
Fortitude Valley,
QLD 4006, Australia
© Copyright 2023 - ABN: 70 645 966 203, ACN: 645 966 203