Headline
GHSA-v92f-jx6p-73rx: Improper Control of Generation of Code ('Code Injection') in jai-ext
Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
References
None.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2022-24816
Improper Control of Generation of Code (‘Code Injection’) in jai-ext
Critical severity GitHub Reviewed Published Apr 13, 2022 in geosolutions-it/jai-ext • Updated Sep 19, 2023
Package
maven it.geosolutions.jaiext.jiffle:jt-jiffle (Maven)
Affected versions
< 1.1.22
maven it.geosolutions.jaiext.jiffle:jt-jiffle-language (Maven)
Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.
Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.
Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
References
None.
References
- GHSA-v92f-jx6p-73rx
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- geosolutions-it/jai-ext@cb1d656
Published to the GitHub Advisory Database
Sep 19, 2023
Last updated
Sep 19, 2023