CVE-2022-24816 — OSGeo GeoServer JAI-EXT Code Injection Vulnerability

2024-06-26 • CISA Known Exploited Vulnerability

[event] OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution.

> AFFECTED SOFTWARE

Field	Value
Vendor	OSGeo
Product	JAI-EXT
CWE	CWE-94
CVE ID	CVE-2022-24816
Date Added	2024-06-26
Due Date	2024-07-17
Ransomware Campaign	Unknown

> MITIGATION

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Due Date: 2024-07-17

> REFERENCES

[1] https://github.com/geosolutions-it/jai-ext/releases/tag/1.1.22,
[2] https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73...
[3] https://nvd.nist.gov/vuln/detail/CVE-2022-24816