CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions
First published: Mon Apr 03 2023(Updated: )
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
Credit: security.vulnerabilities@hitachivantara.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hitachi Vantara Pentaho Business Analytics Server | <9.3.0.2 | |
| Hitachi Vantara Pentaho Business Analytics Server | =9.4.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html
- https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-
Frequently Asked Questions
What is CVE-2022-43939?
CVE-2022-43939 is a vulnerability in Hitachi Vantara Pentaho Business Analytics Server that allows security restrictions using non-canonical URLs to be bypassed.
What versions of Hitachi Vantara Pentaho Business Analytics Server are affected by CVE-2022-43939?
Versions before 9.4.0.1 and 9.3.0.2, including 8.3.x, are affected by CVE-2022-43939.
What is the severity of CVE-2022-43939?
CVE-2022-43939 has a severity rating of 9.8 (critical).
How can the security restrictions using non-canonical URLs be circumvented in Hitachi Vantara Pentaho Business Analytics Server?
The security restrictions using non-canonical URLs in Hitachi Vantara Pentaho Business Analytics Server can be circumvented by exploiting the vulnerability.
Where can I find more information about CVE-2022-43939?
You can find more information about CVE-2022-43939 at the following references: [http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html](http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html) and [https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-](https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-)
- collector/nvd-index
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/title
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/hitachi
- canonical/hitachi vantara pentaho business analytics server
- version/hitachi vantara pentaho business analytics server/9.4.0.0