vulnerability

GeoSolutions Jiffle: GeoServer Code Injection Vulnerability (CVE-2022-24816)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	04/13/2022	07/26/2024	02/21/2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

04/13/2022

Added

07/26/2024

Modified

02/21/2025

Description

Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project, which uses JAI-EXT, an open-source project which aims to extend the Java Advanced Imaging (JAI) API.

Solution

geosolutions-jiffle-update-latest

References

CVE-2022-24816
https://attackerkb.com/topics/CVE-2022-24816
URL-https://geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.html

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today