Advisories for Maven/It.geosolutions.jaiext.jiffle/Jt-Jiffle package

2022

Improper Control of Generation of Code ('Code Injection')

JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting …