CVE-2022-24816
Published: 13 April 2022
Summary
CVE-2022-24816 is a critical-severity Code Injection (CWE-94) vulnerability in Geosolutionsgroup Jai-Ext. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-24816 is a remote code execution vulnerability in the JAI-EXT library, an open-source extension to the Java Advanced Imaging API. It arises when applications accept Jiffle scripts over the network and compile them into Java bytecode using the Janino library; the lack of input sanitization permits arbitrary code injection. The flaw directly affects downstream projects such as GeoServer that expose this functionality.
An unauthenticated attacker can supply a malicious Jiffle script via a network request, causing the application to compile and execute attacker-controlled Java code. Successful exploitation yields full confidentiality, integrity Availability impact and crosses trust boundaries, consistent with the CVSS 10.0 rating and CWE-94 classification.
The project’s security advisory and patch release (version 1.2.22) disable the ability to inject executable code into compiled scripts. Administrators who cannot upgrade are advised to remove the janino JAR from the runtime classpath, thereby preventing Jiffle compilation entirely. The vulnerability is catalogued in CISA’s Known Exploited Vulnerabilities list, and its EPSS score has remained consistently high (current 0.94, peak 0.97), indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2600
Vulnerability details
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java…
more
code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
- CWE(s)
- KEV Date Added
- 26 June 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the JAI-EXT 1.2.22 patch that disables the Jiffle-to-Java code-injection path.
Mandates removal of non-essential components (janino-*.jar) from the classpath, eliminating the Jiffle compilation capability that enables RCE.
Requires validation of untrusted Jiffle script input to block crafted payloads that inject arbitrary Java code via Janino.