CVE-2022-47879 – This CVE describes a Remote Code Execution vuln... (How to Fix)

Q: What is the severity of CVE-2022-47879?

CVE-2022-47879 has a CVSS score of 7.5 (HIGH). This CVE describes a Remote Code Execution vulnerability in Jedox's /be/rpc.php endpoint that allows authenticated users to load arbitrary PHP classes and execute their methods. It affects Jedox installations running version 22.5 or earlier, with the vulnerability resolved in version 23.2. Attackers with valid credentials can achieve code execution on affected systems.

📋 TL;DR

This CVE describes a Remote Code Execution vulnerability in Jedox's /be/rpc.php endpoint that allows authenticated users to load arbitrary PHP classes and execute their methods. It affects Jedox installations running version 22.5 or earlier, with the vulnerability resolved in version 23.2. Attackers with valid credentials can achieve code execution on affected systems.

💻 Affected Systems

Products:

Jedox

Versions: 2020.2.5 through 22.5 (inclusive)

Operating Systems: All platforms running Jedox

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the default installation of affected versions. Vendor states version 23.2 and later are not affected.

📦 What is this software?

Jedox by Jedox

View all CVEs affecting Jedox →

Jedox Cloud by Jedox

View all CVEs affecting Jedox Cloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, pivot to other systems, and potentially disrupt business operations.

🟠

Likely Case

Authenticated attackers gaining code execution to exfiltrate sensitive business intelligence data, modify reports, or establish persistence in the environment.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring detecting unusual RPC.php activity.

🌐 Internet-Facing: HIGH if Jedox is exposed to the internet, as authenticated users (including compromised accounts) can exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM to HIGH depending on internal threat landscape, as authenticated internal users or compromised accounts could exploit the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication but appears straightforward based on the vulnerability description. No public proof-of-concept was found in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 23.2 or later

Vendor Advisory: https://jedox.mantishub.io/app/issues/57236

Restart Required: Yes

Instructions:

1. Backup your Jedox installation and data. 2. Download Jedox version 23.2 or later from the official vendor website. 3. Follow the vendor's upgrade documentation for your specific deployment. 4. Restart the Jedox services after upgrade. 5. Verify the fix by checking the version and testing functionality.

🔧 Temporary Workarounds

Restrict access to /be/rpc.php

all

Block or restrict access to the vulnerable endpoint using web server configuration or network controls.

# Apache example
<Location "/be/rpc.php">
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
</Location>
# Nginx example
location /be/rpc.php {
    deny all;
    # or allow only specific IPs
    # allow 192.168.1.0/24;
    # deny all;
}

Implement Web Application Firewall rules

all

Add WAF rules to block suspicious requests to rpc.php with unusual parameters or class loading attempts.

# Example ModSecurity rule
SecRule REQUEST_URI "@rx /be/rpc\.php" \
    "id:1001,phase:2,deny,status:403,msg:'Blocking Jedox RPC exploitation attempt'"

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jedox servers from sensitive systems and limit lateral movement potential.
Enforce strong authentication controls including multi-factor authentication, regular credential rotation, and monitoring for suspicious login activity.

🔍 How to Verify

Check if Vulnerable:

Check the Jedox version via the web interface admin panel or by examining the installation directory. Versions 2020.2.5 through 22.5 are vulnerable.

Check Version:

# Check via web interface: Admin → System Information
# Or check installation files for version indicators

Verify Fix Applied:

After upgrading, verify the version shows 23.2 or later. Test that the /be/rpc.php endpoint still functions for legitimate use while monitoring for exploitation attempts.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /be/rpc.php with suspicious parameters
Multiple failed authentication attempts followed by successful login and rpc.php access
Log entries showing loading of unusual PHP classes from rtn directory

Network Indicators:

Unusual outbound connections from Jedox server to external IPs
Large data transfers from Jedox server shortly after rpc.php access

SIEM Query:

source="jedox_logs" AND (uri="/be/rpc.php" AND (param="*rtn*" OR param="*class*")) OR (event="authentication_success" AND source_ip="suspicious_ip" FOLLOWED BY uri="/be/rpc.php" WITHIN 5m)

📊 Metadata

CVE ID: CVE-2022-47879

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: May 12, 2023

Last Updated: November 6, 2025

🔗 References

http://jedox.com Product
https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf Exploit,Third Party Advisory
https://jedox.mantishub.io/app/issues/57236
https://jedox.mantishub.io/app/issues/57237
https://jedox.mantishub.io/app/issues/57238
https://jedox.mantishub.io/app/issues/57239
http://jedox.com Product
https://docs.syslifters.com/assets/vulnerability-disclosure/Vulnerability-Disclosure-Jedox-Jedox-04-2023.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-47879, you might also want to check these: