CVE-2022-43938

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.1 and 9.3.0.2, including 8.3.x

Description The issue is related to errors in input data processing during code syntax analysis. Exploitation of this issue may allow a remote attacker to execute arbitrary code. The problem is that system administrators cannot disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.

Recommendations For versions prior to 9.4.0.1 and 9.3.0.2, including 8.3.x, update to version 9.4.0.1 or 9.3.0.2 or later to resolve the issue. As a temporary workaround, consider disabling the scripting capabilities of Pentaho Reports (*.prpt) manually until a patch is available.