GeoServer JAI-EXT extension command injection

Added: 06/27/2024

Background

GeoServer is an open source server for sharing geospatial data. Java Advanced Imaging (JAI) is an API which provides a set of high level objects for the image processing. JAI-EXT is an open source project which extends the JAI API. Jiffle is a map algebra language provided by JAI-EXT.

Problem

A vulnerability in the handling of Jiffle requests by JAI-EXT could allow a remote attacker to execute arbitrary comamnds on the GeoServer.

Resolution

Upgrade to version 1.2.22 or higher, or remove the janino-x.x.x.jar file.

References

https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx

Back to exploit index