Cyber Resilience

CVE-2022-43771

Medium

Published: 03 April 2023

Published
03 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0059 69.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43771 is a medium-severity Path Traversal (CWE-22) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-43771 is a path traversal vulnerability (CWE-22) affecting Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including the 8.3.x series. The flaw resides in the Pentaho Data Access plugin, which exposes a CSV import service endpoint that accepts a user-supplied path and fails to restrict access to resources outside intended boundaries. The issue carries a CVSS 3.1 score of 6.5, reflecting network attack vector, low complexity, and low privileges required for exploitation with high impact on confidentiality.

An authenticated attacker with low privileges can supply a crafted path to the CSV import endpoint and retrieve arbitrary files from the server filesystem, enabling unauthorized disclosure of sensitive data without user interaction.

The vendor advisory at support.pentaho.com directs customers to upgrade to the fixed releases 9.4.0.0 or 9.3.0.1 to resolve the improper pathname limitation.

EPSS for the CVE rose materially from a low baseline to a peak of 0.1242 on 2026-02-03 before receding to the current value of 0.0059, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.  

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hitachi
vantara pentaho business analytics server
≤ 9.3.0.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References