CVE-2022-43769
Published: 03 April 2023
Summary
CVE-2022-43769 is a high-severity Injection (CWE-74) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2022-43769 affects Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.1 and 9.3.0.2, including the 8.3.x branch. The flaw allows certain web services to accept property values containing Spring templates that are later interpreted, enabling server-side template injection. The issue is tracked under CWE-74 and CWE-94 and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with network access can supply malicious template expressions through the affected web services. Successful exploitation results in arbitrary code execution on the server, with impacts to confidentiality, integrity, and availability.
Vendor advisories direct customers to upgrade to the fixed releases 9.4.0.1 or 9.3.0.2. The Pentaho support article and associated patches address the failure to sanitize special elements that cross into a different processing plane.
Public proof-of-concept code for authentication-bypass and remote code execution has been published, the vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, and its EPSS score has reached 0.94, indicating active exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46739
Vulnerability details
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
- CWE(s)
- KEV Date Added
- 03 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted property values supplied to web services to block Spring template injection (CWE-74/94).
Mandates prompt application of vendor patches (9.4.0.1/9.3.0.2) that eliminate the template interpretation flaw.
Enforces access decisions on the affected web services so only authorized principals can supply property values.