CVE-2022-24816
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-24816
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24816.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-24816
- Aliases
- Related
- Published
- 2022-04-13T21:15:07Z
- Modified
- 2025-09-19T13:41:23.086427Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
- References
Affected packages
Git / github.com/geosolutions-it/jai-ext
Affected ranges
- Type
- GIT
- Repo
- https://github.com/geosolutions-it/jai-ext
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.0-M062014
1.0-M09032015
1.0-M10032015
1.0.0
1.0.1
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.2
1.0.20
1.0.21
1.0.22
1.0.23
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.19
1.1.2
1.1.20
1.1.21
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2022-24816-35799167",
"signature_type": "Function",
"digest": {
"function_hash": "254821243078582185125542254142522252660",
"length": 236.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/parser/node/Script.java",
"function": "Script"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-59df2235",
"signature_type": "Function",
"digest": {
"function_hash": "182024328535530426132594235410193829808",
"length": 362.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java",
"function": "getRuntimeInstance"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-878ff803",
"signature_type": "Function",
"digest": {
"function_hash": "120671888045878782109440079156668231323",
"length": 3845.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/parser/node/Script.java",
"function": "write"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-907008b1",
"signature_type": "Function",
"digest": {
"function_hash": "152097936192969137885336418685609644947",
"length": 105.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java",
"function": "stripComments"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-997c595a",
"signature_type": "Line",
"digest": {
"line_hashes": [
"243926006972547699190953539934379401005",
"282725409798087958230400261149337565503",
"188931691381547054683589324143060025332",
"14224917997072104856450703124488143399",
"310359272748432944723545825945159307783",
"146948461158502791805850959236994900776",
"267621987946931414746508296210078585952",
"61050635685771469599120506000580010254",
"169573730321973320241735912333785937001",
"48888099256686591389097722923559013669",
"102005007474093978391182856542366642347",
"4415054216213064546423724043887839211",
"35637373247757020790824604986247969901",
"61224754413496750366994323698501309127",
"96730166962557310986898441015272410749",
"43303486012292946893579337471500900610",
"230392541520766564217741653757219093346",
"120808296404090331172352648100611773033",
"120770740745419207824707347186759953596",
"131810212733425951779087698903171422425",
"237145004558465639686651691682103851861",
"103637780976459535670659766987915889132",
"98997950754006643282590385686851551452",
"253253926304576782605179931704950752323",
"202087841178565444393384260614984761227",
"103407039041182206821837311336614951664",
"193131467414942769585256409498545287179",
"158141485480448355395866372808800053436",
"101415294072206572991234624990074515716",
"55876219042200749866420574625140488228",
"316562487287715230767289161579154656785",
"45336794258924202221369225601900488885",
"265587302808262785770871201861542182213",
"220843480340111235255888762684787851436",
"148055371735038005870691242269705351466",
"171006396867822725422970866267501460525",
"307769215932284064735328445969965923386",
"62236609702934245390026296240340800353"
],
"threshold": 0.9
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-a86b8715",
"signature_type": "Function",
"digest": {
"function_hash": "128514383527192933743261747196691806934",
"length": 319.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java",
"function": "createRuntimeSource"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-b55d9dd3",
"signature_type": "Line",
"digest": {
"line_hashes": [
"174851030368774534471151434183350630074",
"306112427445352127904509972161192103164",
"233422010490346329333833280253094976558",
"126126519311340262262335053028203607459",
"236858223754736064817898998176937569293",
"159431917857659024084411675127253545119",
"284279547606492620599164324077227401360",
"338278462088965710185798929924403599340",
"270966311764335389981273708926829827451",
"200914858955211087529777627476917686833",
"295388473888308544938524023678630731817",
"299396701563881753636241604955273528988",
"202348560000242252618860320754866289066",
"279049377816784523917234458531167433874",
"41227045464673414833884922509600722509",
"275014857549647123793405518279392479451",
"214140492311526487518684602263628711755",
"148394551820195762639897944306095791852",
"290066129034123300866976644235295756633",
"173009637821863739734173556630694372515"
],
"threshold": 0.9
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/parser/node/Script.java"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-d01db195",
"signature_type": "Function",
"digest": {
"function_hash": "314562174820989954586344923162623964302",
"length": 1562.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java",
"function": "createRuntimeInstance"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2022-24816-f705f1d8",
"signature_type": "Function",
"digest": {
"function_hash": "90917098670742356278835910255156876295",
"length": 152.0
},
"target": {
"file": "jt-jiffle/jt-jiffle-language/src/main/java/it/geosolutions/jaiext/jiffle/Jiffle.java",
"function": "getRuntimeInstance"
},
"source": "https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb",
"signature_version": "v1",
"deprecated": false
}
]
}