{"id":"GHSA-v92f-jx6p-73rx","summary":"Improper Control of Generation of Code ('Code Injection') in jai-ext","details":"### Impact\nPrograms using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.\n\n### Patches\nVersion 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.\n\n### Workarounds\nNegate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.\n\n### References\nNone.","aliases":["CVE-2022-24816"],"modified":"2025-10-22T19:17:43Z","published":"2023-09-19T20:35:16Z","database_specific":{"cwe_ids":["CWE-94"],"github_reviewed":true,"severity":"CRITICAL","nvd_published_at":"2022-04-13T21:15:00Z","github_reviewed_at":"2023-09-19T20:35:16Z"},"references":[{"type":"WEB","url":"https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24816"},{"type":"WEB","url":"https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb"},{"type":"PACKAGE","url":"https://github.com/geosolutions-it/jai-ext"},{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-24816"}],"affected":[{"package":{"name":"it.geosolutions.jaiext.jiffle:jt-jiffle","ecosystem":"Maven","purl":"pkg:maven/it.geosolutions.jaiext.jiffle/jt-jiffle"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.22"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-v92f-jx6p-73rx/GHSA-v92f-jx6p-73rx.json"}},{"package":{"name":"it.geosolutions.jaiext.jiffle:jt-jiffle-language","ecosystem":"Maven","purl":"pkg:maven/it.geosolutions.jaiext.jiffle/jt-jiffle-language"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.1.22"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-v92f-jx6p-73rx/GHSA-v92f-jx6p-73rx.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"}]}