CVE-2022-47875 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2022-47875?

CVE-2022-47875 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated remote attackers to perform directory traversal via the /be/erpc.php endpoint in Jedox, potentially leading to arbitrary code execution. It affects Jedox GmbH Jedox installations, specifically version 2020.2.5 and likely other versions. Attackers need valid credentials to exploit this vulnerability.

📋 TL;DR

This vulnerability allows authenticated remote attackers to perform directory traversal via the /be/erpc.php endpoint in Jedox, potentially leading to arbitrary code execution. It affects Jedox GmbH Jedox installations, specifically version 2020.2.5 and likely other versions. Attackers need valid credentials to exploit this vulnerability.

💻 Affected Systems

Products:

Jedox GmbH Jedox

Versions: 2020.2.5 and likely earlier versions up to at least 2022.4.2 based on references

Operating Systems: All platforms running Jedox

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the /be/erpc.php endpoint. The vulnerability exists in the core application code.

📦 What is this software?

Cloud by Jedox

View all CVEs affecting Cloud →

Jedox by Jedox

View all CVEs affecting Jedox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the Jedox server, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Unauthorized file access and remote code execution leading to data exfiltration, privilege escalation, or installation of backdoors.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and file system permissions preventing successful exploitation.

🌐 Internet-Facing: HIGH - If the Jedox instance is exposed to the internet, authenticated attackers can exploit this vulnerability remotely.

🏢 Internal Only: HIGH - Even internally, authenticated users or compromised accounts can exploit this vulnerability to gain elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Public exploit details available in Packet Storm references. Attack requires authentication but the directory traversal and RCE chain is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.4.2 or later (check latest vendor release)

Vendor Advisory: https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf

Restart Required: Yes

Instructions:

1. Backup current Jedox installation and data. 2. Download latest patched version from Jedox official sources. 3. Follow vendor upgrade documentation. 4. Restart Jedox services. 5. Verify fix by testing directory traversal attempts.

🔧 Temporary Workarounds

Block erpc.php endpoint

all

Temporarily block access to the vulnerable endpoint using web server or firewall rules

# Apache: RewriteRule ^/be/erpc\.php$ - [F]
# Nginx: location ~ ^/be/erpc\.php$ { deny all; }
# Windows Firewall: New-NetFirewallRule -DisplayName "Block Jedox erpc" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Any -Action Block

Restrict file system permissions

all

Limit Jedox application user permissions to prevent directory traversal exploitation

# Linux: chmod 750 /path/to/jedox/data
# Windows: icacls "C:\Program Files\Jedox" /deny "IIS_IUSRS:(OI)(CI)(W)"

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jedox servers from critical systems
Enforce multi-factor authentication and strong password policies for all Jedox accounts

🔍 How to Verify

Check if Vulnerable:

Test if directory traversal is possible by attempting to access files outside web root via authenticated requests to /be/erpc.php with traversal sequences like ../../etc/passwd

Check Version:

# Linux: grep -i version /opt/jedox/version.txt or check web interface
# Windows: Check Jedox installation directory for version files or registry entries

Verify Fix Applied:

After patching, attempt the same directory traversal tests and verify they are blocked. Check that the patched version is running.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login and erpc.php access
HTTP requests containing ../ or ..\ sequences to /be/erpc.php
Unusual file access patterns from Jedox process

Network Indicators:

POST requests to /be/erpc.php with file paths in parameters
Traffic spikes from Jedox server to external IPs after erpc.php access

SIEM Query:

source="jedox.log" AND (uri="/be/erpc.php" AND (message="../" OR message="..\\")) OR (event_type="authentication" AND result="success" AND source_ip="suspicious_ip" AND destination="jedox_server")

📊 Metadata

CVE ID: CVE-2022-47875

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 2, 2023

Last Updated: January 30, 2025

🔗 References

http://packetstormsecurity.com/files/172152/Jedox-2022.4.2-Directory-Traversal-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf Exploit,Third Party Advisory
http://packetstormsecurity.com/files/172152/Jedox-2022.4.2-Directory-Traversal-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47875, you might also want to check these: