CVE-2022-43939:
Remote attackers can bypass authorization decisions in Hitachi Vantara Pentaho Business Analytics Server by exploiting non-canonical URL paths in affected versions before 9.4.0.1 and 9.3.0.2 (including 8.3.x).
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Apr 3, 2023
- CISA KEV Date:Mar 3, 2025
- Industries Affected:20
700 DaysThreat Predictions
- EPSS Score:93.4
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Remote attackers can bypass authorization decisions in Hitachi Vantara Pentaho Business Analytics Server by exploiting non-canonical URL paths in affected versions before 9.4.0.1 and 9.3.0.2 (including 8.3.x).
Overview
Hitachi Vantara Pentaho Business Analytics Server contains a vulnerability where security restrictions implemented via non-canonical URL paths can be bypassed. Affected releases include versions before 9.4.0.1 and 9.3.0.2 (including 8.3.x). An attacker can remotely exploit this without authentication by sending specially crafted URLs that bypass authorization checks, potentially exposing restricted resources or operations. The issue aligns with CWE-647 and CAPEC-3 and has a CVSS v3.1 score of 8.6, reflecting a high-severity, network-based attack with no user interaction.
Remediation
- Upgrade to Pentaho Business Analytics Server 9.4.0.1 or newer (or apply the vendor-supplied patched release) to obtain the fix for CVE-2022-43939.
- If upgrading is not immediately possible, apply any available vendor hotfix or workaround that enforces canonical URL handling and ensures authorization decisions are made only against canonical paths.
- Implement defense-in-depth:
- Enable and enforce URL canonicalization/normalization on the server front-end and any reverse proxies or load balancers.
- Validate and sanitize all incoming URL paths to reject non-canonical or ghost-character patterns before they reach the application logic.
- Add WAF rules to block known non-canonical URL patterns and suspicious path sequences.
- Review and tighten authorization checks to ensure they rely on canonical, server-side state rather than URL-derived decisions.
- After applying fixes, perform targeted testing using known PoCs or test cases to verify that non-canonical URL paths no longer bypass access controls.
- Monitor vendor advisories for any follow-up fixes and apply them promptly.
References
- - [Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions](https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-)
- - [Pentaho Business Server Authentication Bypass SSTI Code Execution](http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Apr 11, 2023
- CISA KEV Date:Mar 3, 2025
- Days Early:700 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
