RCE in Geosolutions-it Jai-ext
CVE-2022-24816
JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java c…
Vulnerability class: RCE (Remote Code Execution)
EPSS: 0.940 (99.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
Affected products
- Geosolutions-it Jai-ext — versions < 1.1.22
Weakness classification (CWE)
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx (x_refsource_CONFIRM)
- github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2022-24816?
- CVE-2022-24816 is a critical-severity vulnerability in Geosolutions-it Jai-ext, classified under Code Injection. CVSS score: 10.0/10. Published 2022-04-13.
- How severe is CVE-2022-24816?
- Critical severity. CVSS v3 base score is 10.0 out of 10.
- Is CVE-2022-24816 known to be exploited?
- Yes. CVE-2022-24816 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-06-26), indicating it is being actively exploited. 8 public proof-of-concept repositories are indexed.