CVE-2022-24816:
Improper Control of Generation of Code ('Code Injection') in jai-ext
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99903%
CWE
Published
9/19/2023
Updated
2/18/2025
KEV Status
Yes
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
it.geosolutions.jaiext.jiffle:jt-jiffle | maven | < 1.1.22 | 1.1.22 |
it.geosolutions.jaiext.jiffle:jt-jiffle-language | maven | < 1.1.22 | 1.1.22 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key issues: 1) The Jiffle
class's runtime compilation process (createRuntimeInstance
) directly incorporated unvalidated user input into generated Java code. 2) The Script
class accepted invalid identifiers that could be leveraged for code injection. The patch adds validation
(VALID_IDENTIFIER
regex) in Script
's constructor and proper comment escaping, confirming these were the injection vectors. The commit message specifically mentions validating input variable names and escaping Javadocs
, which aligns with these function
changes.