CVE-2022-43769
Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- October 26, 2022
- Published Date
- April 03, 2023
- Last Updated
- March 03, 2025
- Vendor
- Hitachi Vantara
- Product
- Pentaho Business Analytics Server
- Description
- Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
CVSS Scores
CVSS v3.1
8.8 - HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC Information
- Exploitation
- active
- Technical Impact
- total
Exploit Status
- Exploited in the Wild
- Yes (added 2025-03-03 00:00:00 UTC) Source
References
https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-
http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2025-03-03 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pentaho_business_server_authbypass_and_ssti.rb | 2025-04-29 11:01:23 UTC |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-43769.yaml | 2025-04-26 00:00:00 UTC |