CVE-2022-43938
Published: 03 April 2023
Summary
CVE-2022-43938 is a high-severity Static Code Injection (CWE-96) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-43938 affects Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.1 and 9.3.0.2, including all 8.3.x releases. The flaw prevents a system administrator from disabling the scripting capabilities of Pentaho Reports files (*.prpt) via the JVM script manager, leaving an improper neutralization condition that maps to CWE-94 and CWE-96. The vulnerability carries a CVSS 3.1 score of 8.8.
An authenticated user with low privileges can supply a malicious report file that executes arbitrary code on the server, resulting in full compromise of confidentiality, integrity, and availability without user interaction. Because the attack is network-reachable and requires only report-upload or scheduling rights, it can be performed by any authorized analyst or compromised low-privileged account.
The vendor advisory directs customers to upgrade to 9.4.0.1, 9.3.0.2, or later; the same article notes that earlier releases, including the entire 8.3 branch, remain exposed until patched.
EPSS for the CVE rose from a low baseline to a peak of 0.2260 before receding to the current 0.0386, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46908
Vulnerability details
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Eliminates the possibility of static code injection into saved executables by making the storage non-modifiable.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.