Cyber Resilience

CVE-2022-43769

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 03 April 2023

Published
03 April 2023
Modified
24 October 2025
KEV Added
03 March 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9398 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43769 is a high-severity Injection (CWE-74) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2022-43769 affects Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.1 and 9.3.0.2, including the 8.3.x branch. The flaw allows certain web services to accept property values containing Spring templates that are later interpreted, enabling server-side template injection. The issue is tracked under CWE-74 and CWE-94 and carries a CVSS 3.1 score of 8.8.

An authenticated attacker with network access can supply malicious template expressions through the affected web services. Successful exploitation results in arbitrary code execution on the server, with impacts to confidentiality, integrity, and availability.

Vendor advisories direct customers to upgrade to the fixed releases 9.4.0.1 or 9.3.0.2. The Pentaho support article and associated patches address the failure to sanitize special elements that cross into a different processing plane.

Public proof-of-concept code for authentication-bypass and remote code execution has been published, the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, and its EPSS score has reached 0.94, indicating active exploitation interest.

EU & UK References

Vulnerability details

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

CWE(s)
KEV Date Added
03 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hitachi
vantara pentaho business analytics server
9.4.0.0 · 8.3.0.0 — 9.3.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted property values supplied to web services to block Spring template injection (CWE-74/94).

prevent

Mandates prompt application of vendor patches (9.4.0.1/9.3.0.2) that eliminate the template interpretation flaw.

prevent

Enforces access decisions on the affected web services so only authorized principals can supply property values.

References