Loading HuntDB...

GHSA-v92f-jx6p-73rx

GitHub Security Advisory

Improper Control of Generation of Code ('Code Injection') in jai-ext

✓ GitHub Reviewed CRITICAL Has CVE

Advisory Details

### Impact
Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project.

### Patches
Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script.

### Workarounds
Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

### References
None.

Affected Packages

Maven it.geosolutions.jaiext.jiffle:jt-jiffle
Affected versions: 0 (fixed in 1.1.22)
Maven it.geosolutions.jaiext.jiffle:jt-jiffle-language
Affected versions: 0 (fixed in 1.1.22)

Related CVEs

Key Information

GHSA ID
GHSA-v92f-jx6p-73rx
Published
September 19, 2023 8:35 PM
Last Modified
February 18, 2025 10:39 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
it.geosolutions.jaiext.jiffle:jt-jiffle
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.