Support Expiration Notice: Pentaho 9.3 will reach end of support on July 1, 2026. See this article for details.

Customer Portal

Get a grip on your data

With battle-tested solutions and a focus on foundational strength,

Pentaho helps you meet the challenges of an AI-driven world.

  1. Pentaho Customer Portal
  2. Known Vulnerability Updates
  3. Security Updates

(Resolved) Pentaho BA Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') - Versions before 9.4.0.1 and 9.3.0.2 Impacted (CVE-2022-43940) (CVE-2022-3960)

by Dan Begey - Follow

Overview 

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template. (CWE-96) 

 

Products Affected 

Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2 impacted.

 

Description 

Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2 cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. 

 

Impact 

Using such scripts, an authenticated user with sufficient publishing privileges can embed scripts and run arbitrary code on the clients. By default, there is no option to prevent the execution of the included scripts. 

 

Action  

The defect can be mitigated now by removing the CDE plugin. 

We recommend you upgrade to the Pentaho Business Analytics Server version 9.5 release or newer. For version 9.3 this may be resolved with Service Pack 9.3.0.2 or newer applied, or for version 9.4 with 9.4.0.1 or newer. 

Please review the Pentaho End-of-Life policy to ensure you are up to date.

 

Internal Notes: (Non Customer View-able - Non Confidential)

This issue is logged under JIRA PPP-4798

Comments