Lucene search

HITVANCVELIST:CVE-2022-3960

HistoryApr 03, 2023 - 6:48 p.m.

CVE-2022-3960 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

2023-04-0318:48:00

CWE-96

HITVAN

www.cve.org

cve-2022-3960

hitachi vantara

pentaho business analytics

static code injection

community dashboard editor

system administrator

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

28.5%

JSON

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Community Dashboard Editor Plugin"
    ],
    "product": "Pentaho Business Analytics Server",
    "vendor": "Hitachi Vantara",
    "versions": [
      {
        "lessThan": "9.3.0.2",
        "status": "affected",
        "version": "1.0",
        "versionType": "maven"
      },
      {
        "lessThan": "9.4.0.1",
        "status": "affected",
        "version": "9.4.0.0",
        "versionType": "maven"
      }
    ]
  }
]

References

support.pentaho.com/hc/en-us/articles/14456813547917--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-3960-