First published: Tue Sep 19 2023(Updated: )
### Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. ### Patches Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. ### Workarounds Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath. ### References None.
Affected Software | Affected Version | How to fix |
---|---|---|
maven/it.geosolutions.jaiext.jiffle:jt-jiffle-language | <1.1.22 | 1.1.22 |
maven/it.geosolutions.jaiext.jiffle:jt-jiffle | <1.1.22 | 1.1.22 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Programs using jt-jiffle and allowing Jiffle script to be provided via network request are susceptible to a Remote Code Execution.
This vulnerability affects the downstream GeoServer project.
Upgrade to version 1.1.22 of jt-jiffle or jt-jiffle-language.
The severity of this vulnerability is critical with a CVSS score of 9.8.
The CWE ID of this vulnerability is 94.