JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v92f-jx6p-73rx Improper Control of Generation of Code ('Code Injection') in jai-ext
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 22 Oct 2025 00:15:00 +0000


Tue, 21 Oct 2025 20:30:00 +0000


Tue, 21 Oct 2025 19:30:00 +0000


Wed, 30 Jul 2025 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:geosolutionsgroup:jai-ext:-:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-10-21T23:15:42.188Z

Reserved: 2022-02-10T00:00:00.000Z

Link: CVE-2022-24816

cve-icon Vulnrichment

Updated: 2024-08-03T04:20:50.507Z

cve-icon NVD

Status : Modified

Published: 2022-04-13T21:15:07.683

Modified: 2025-10-22T00:18:00.190

Link: CVE-2022-24816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.