Miggo Logo

CVE-2022-24816:
Improper Control of Generation of Code ('Code Injection') in jai-ext

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99903%
Published
9/19/2023
Updated
2/18/2025
KEV Status
Yes
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
it.geosolutions.jaiext.jiffle:jt-jifflemaven< 1.1.221.1.22
it.geosolutions.jaiext.jiffle:jt-jiffle-languagemaven< 1.1.221.1.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) The Jiffle class's runtime compilation process (createRuntimeInstance) directly incorporated unvalidated user input into generated Java code. 2) The Script class accepted invalid identifiers that could be leveraged for code injection. The patch adds validation (VALID_IDENTIFIER regex) in Script's constructor and proper comment escaping, confirming these were the injection vectors. The commit message specifically mentions validating input variable names and escaping Javadocs, which aligns with these function changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Pro*r*ms usin* jt-ji**l*, *n* *llowin* Ji**l* s*ript to ** provi*** vi* n*twork r*qu*st, *r* sus**pti*l* to * R*mot* *o** *x**ution *s t** Ji**l* s*ript is *ompil** into J*v* *o** vi* J*nino, *n* *x**ut**. In p*rti*ul*r, t*is *****ts t** *

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** `Ji**l*` *l*ss's runtim* *ompil*tion pro**ss (`*r**t*Runtim*Inst*n**`) *ir**tly in*orpor*t** unv*li**t** us*r input into **n*r*t** J*v* *o**. *) T** `S*ript` *l*ss ****pt** inv*li* i**nti*i*rs t**t