CVE-2022-24816
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.
CISA KEV
- Vendor
- OSGeo
- Product
- JAI-EXT
- Due date
- 2024-07-17
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. The patched JAI-EXT is version 1.1.22: https://github.com/geosolutions-it/jai-ext/releases/tag/1.1.22, https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx; https://nvd.nist.gov/vuln/detail/CVE-2022-24816
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | it.geosolutions.jaiext.jiffle:jt-jiffle | <1.1.22 | 1.1.22 |
| Maven | it.geosolutions.jaiext.jiffle:jt-jiffle-language | <1.1.22 | 1.1.22 |
References
- https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
- https://github.com/geosolutions-it/jai-ext
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816
- This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. The patched JAI-EXT is version 1.1.22: https://github.com/geosolutions-it/jai-ext/releases/tag/1.1.22, https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx; https://nvd.nist.gov/vuln/detail/CVE-2022-24816
Verify integrity in audit chain (admin only). AS-IS.