Cyber Resilience

CVE-2022-47878

HighPublic PoC

Published: 02 May 2023

Published
02 May 2023
Modified
06 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1320 94.3th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-47878 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Jedox Jedox. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-47878 is an unrestricted file upload vulnerability (CWE-434) caused by insufficient input validation on the default-storage-path setting in Jedox versions up to 22.2. The flaw resides in the on-premises web application settings page and permits specification of the Webroot directory as a storage location.

Remote authenticated users with low-privileged accounts can exploit the issue by configuring the storage path to the Webroot and then uploading files that result in arbitrary code execution on the server. The CVSS 3.1 score is 8.8 with network attack vector, low complexity, and no user interaction required.

Vendor disclosures and the associated Jedox issue tracker state that the problem was fixed in version 22.3; the vendor further notes that only on-premises deployments are affected and that cloud-hosted or SaaS instances are not impacted. Public references include a detailed vulnerability disclosure document and a PacketStorm proof-of-concept.

EPSS reached a peak of 0.2563 after disclosure before receding to the current value of 0.1320, indicating a measurable increase in exploitation interest following public release.

EU & UK References

Vulnerability details

Incorrect input validation for the default-storage-path in the settings page in Jedox 2020.2.5 allows remote, authenticated users to specify the location as Webroot directory. Consecutive file uploads can lead to the execution of arbitrary code. NOTE: The vendor states that…

more

the vulnerability affects installations running version 22.2 or earlier. The issue was resolved with the version 22.3 and later versions are not affected. Additionally, the vendor states that this vulnerability affects on-premises deployments only and that it does not impact cloud-hosted or SaaS environments.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jedox
jedox
2020.2.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References