Strix
26.1K

CVE-2022-24816

CRITICALCVSS 10/10Actively ExploitedEPSS 98.68%

Last modified

CVE-2022-24816 is a critical-severity vulnerability rated 10/10 on the CVSS scale. JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. CISA has confirmed active exploitation in the wild. EPSS estimates a 98.68% chance of exploitation in the next 30 days.

Description

JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

Metrics

CVSS 3.1
10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability
98.68%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .

Weakness Enumeration

Affected Software

VendorProductVersions
GeosolutionsgroupJai-Ext< 1.1.22

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2022-24816?
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
How severe is CVE-2022-24816?
CVE-2022-24816 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 98.68% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2022-24816?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-24816?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST