vulnerability

GeoSolutions Jiffle: GeoServer Code Injection Vulnerability (CVE-2022-24816)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Apr 13, 2022	Jul 26, 2024	Apr 23, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Apr 13, 2022

Added

Jul 26, 2024

Modified

Apr 23, 2025

Description

Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project, which uses JAI-EXT, an open-source project which aims to extend the Java Advanced Imaging (JAI) API.

Solution

geosolutions-jiffle-update-latest

References

CVE-2022-24816
https://attackerkb.com/topics/CVE-2022-24816
https://geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.html

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report