Pentaho Business Analytics Server <9.4.0.1 URL canonicalization bypass
CVE-2022-43939 Published on April 3, 2023
Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Known Exploited Vulnerability
This Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.
The following remediation steps are recommended / required by March 24, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2022-43939 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Use of Non-Canonical URL Paths for Authorization Decisions
The software defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Products Associated with CVE-2022-43939
stack.watch emails you whenever new vulnerabilities are published in Hitachi Vantara Pentaho Business Analytics Server or Hitachi Pentaho Business Analytics Server. Just hit a watch button to start following.
Affected Versions
Hitachi Vantara Pentaho Business Analytics Server:- Version 1.0 and below 9.3.0.2 is affected.
- Version 9.4.0.0 and below 9.4.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.