Cyber Resilience

CVE-2022-43938

HighRCE

Published: 03 April 2023

Published
03 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0386 88.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43938 is a high-severity Static Code Injection (CWE-96) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-43938 affects Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.1 and 9.3.0.2, including all 8.3.x releases. The flaw prevents a system administrator from disabling the scripting capabilities of Pentaho Reports files (*.prpt) via the JVM script manager, leaving an improper neutralization condition that maps to CWE-94 and CWE-96. The vulnerability carries a CVSS 3.1 score of 8.8.

An authenticated user with low privileges can supply a malicious report file that executes arbitrary code on the server, resulting in full compromise of confidentiality, integrity, and availability without user interaction. Because the attack is network-reachable and requires only report-upload or scheduling rights, it can be performed by any authorized analyst or compromised low-privileged account.

The vendor advisory directs customers to upgrade to 9.4.0.1, 9.3.0.2, or later; the same article notes that earlier releases, including the entire 8.3 branch, remain exposed until patched.

EPSS for the CVE rose from a low baseline to a peak of 0.2260 before receding to the current 0.0386, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. 

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hitachi
vantara pentaho business analytics server
9.4.0.0 · ≤ 9.3.0.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-96 CWE-94

Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References