CVE-2022-24816

Name of the Vulnerable Software and Affected Versions JAI-EXT versions prior to 1.2.22 GeoServer (affected versions not specified)

Description Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. This affects the downstream GeoServer project.

Recommendations For JAI-EXT versions prior to 1.2.22, update to version 1.2.22 to patch the vulnerability. As a temporary workaround for users unable to upgrade, remove janino-x.y.z.jar from the classpath to negate the ability to compile Jiffle scripts from the final application.