Aaime

**Name of the Vulnerable Software and Affected Versions** GeoWebCache versions prior to 1.21.0 GeoWebCache versions prior to 1.20.2 GeoWebCache versions prior to 1.19.3 **Description** The GeoWebCache disk quota mechanism can perform an unchecked JNDI lookup, which can be used to perform class deserialization and result in arbitrary code execution. The JNDI strings are provided via a local configuration file in GeoWebCache, while in GeoServer, a user interface is provided to perform the same, accessible remotely with admin-level login. These lookups are unrestricted in scope and can lead to code execution. **Recommendations** For versions prior to 1.21.0, update to version 1.21.0 to restrict the JNDI lookups. For versions prior to 1.20.2, update to version 1.20.2 to restrict the JNDI lookups. For versions prior to 1.19.3, update to version 1.19.3 to restrict the JNDI lookups. As a temporary workaround, consider restricting access to the admin-level login to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JAI-EXT versions prior to 1.2.22 GeoServer (affected versions not specified) **Description** Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. This affects the downstream GeoServer project. **Recommendations** For JAI-EXT versions prior to 1.2.22, update to version 1.2.22 to patch the vulnerability. As a temporary workaround for users unable to upgrade, remove janino-x.y.z.jar from the classpath to negate the ability to compile Jiffle scripts from the final application.