πŸ”΄ CVE-2022-43939

Authentication bypass vulnerability in Pentaho Business Analytics Server allows attackers to circumvent security restrictions using non-canonical URLs. The vulnerability leads to SSTI (Server-Side Template Injection) and code execution according to exploit references.

← Back to Overview
HIGH_RISK
Risk Level
8.6
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2023-04-03

Added to CISA KEV: 2025-03-03 700 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2022-43939 is a critical authorization bypass vulnerability affecting Hitachi Vantara Pentaho Business Analytics (BA) Server [1]. It is classified as a "Non-Canonical Path Manipulation" vulnerability [1].

Key Details
FeatureDescription
Vulnerability TypeAuthorization Bypass (Non-Canonical Path Manipulation) [1]
CVSS Score9.8 (Critical) [1]
Active ExploitationYes, it is known to be exploited in the wild [3].
Exploitation RequirementsNetwork-based; does not require user interaction.
ImpactAllows attackers to bypass authentication and authorization mechanisms, potentially gaining unauthorized administrative access [1] [5].
Exploitation and Threat Landscape
  • Active Exploitation: Threat actors have been observed actively exploiting this vulnerability in the wild [3].
  • Attack Method: The vulnerability stems from flawed authorization logic where the system fails to properly verify access when non-canonical (altered or obfuscated) URLs are used [1].
  • Targeted Attacks: Due to the nature of the software (Business Analytics Server), it is often a target for attackers seeking to gain access to sensitive organizational data.
Affected Versions and Mitigation
  • Affected Versions: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including the 8.3.x series [4].
  • Mitigation: Users are strongly advised to upgrade to the patched versions (9.4.0.1, 9.3.0.2, or later) to remediate this vulnerability. Organizations should also consult CISA's Known Exploited Vulnerabilities (KEV) catalog for further guidance and requirements regarding this CVE [2].

Sources

  1. Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

    Hitachi Vantara's Pentaho Business Analytics (BA) Server is affected by a critical authorization bypass vulnerability, CVE-2022-43939, with a CVSS score of 9.8. ... This document details CVE-2022-43939, a critical authorization bypass vulnerability in Hitachi Vantara Pentaho BA Server, and how Armis…

  2. NVD - CVE-2022-43939

    An official website of the United States government Here's how you know ... CVE-2022-43939 Detail. Description. Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.Refe…

  3. Hitachi Vantara Pentaho BA Server Vulnerabilities - FortiGuard Labs

    What is the Vulnerability? Threat actors are actively exploiting vulnerabilities in the Hitachi Vantara Pentaho Business Analytics Server.

  4. CVE-2022-43939 Detail - NVD

    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs.

  5. CVE-2022-43939 - Exploits & Severity - Feedly

    This flaw affects versions before 9.4.0.1 and 9.3.0.2, including 8.3.x series. Impact. Attackers can potentially bypass authentication and authorization ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed