CVE-2022-24816

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2022-24816
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-04-13 21:15:00 UTC
Updated2023-02-16 19:08:00 UTC
DescriptionJAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

Risk And Classification

EPSS: 0.937140000 probability, percentile 0.998500000 (date 2026-04-22)

CISA KEV: Listed on 2024-06-26; due 2024-07-17; ransomware use Unknown

Problem Types: CWE-94

CISA Known Exploited Vulnerability

VendorOSGeo
ProductJAI-EXT
NameOSGeo GeoServer JAI-EXT Code Injection Vulnerability
Required ActionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
NotesThis vulnerability affects a common open-source component, third-party library, or a protocol used by different products. The patched JAI-EXT is version 1.1.22: https://github.com/geosolutions-it/jai-ext/releases/tag/1.1.22, https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx; https://nvd.nist.gov/vuln/detail/CVE-2022-24816

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Geosolutionsgroup Jai-ext All All All All
Application Geosolutionsgroup Jal-ext All All All All

References

ReferenceSourceLinkTags
Improper Control of Generation of Code ('Code Injection') in jai-ext · Advisory · geosolutions-it/jai-ext · GitHub CONFIRM github.com
Validate Jiffle input variable names according to grammar, escape jav… · geosolutions-it/jai-ext@cb1d656 · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
CISA Known Exploited Vulnerabilities catalog CISA www.cisa.gov kev

Legacy QID Mappings

  • 150667 GeoServer JAI-EXT Remote Code Execution (RCE) Vulnerability (CVE-2022-24816)
  • 730744 jai-ext Remote Code Execution (RCE) Vulnerability (GHSA-v92f-jx6p-73rx)
  • 995305 Java (Maven) Security Update for it.geosolutions.jaiext.jiffle:jt-jiffle (GHSA-v92f-jx6p-73rx)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report