CVE-2022-43939

critical

Description

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

References

https://www.securityweek.com/exploitation-long-known-for-most-of-cisas-latest-kev-additions/

https://www.infosecurity-magazine.com/news/cisa-govt-patch-exploited-cisco/

https://thehackernews.com/2025/03/cisco-hitachi-microsoft-and-progress.html

https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog

https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-

http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html

Details

Source: Mitre, NVD

Published: 2023-04-03

Updated: 2025-03-13

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H