Cyber Resilience

CVE-2022-43939

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 03 April 2023

Published
03 April 2023
Modified
24 October 2025
KEV Added
03 March 2025
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.9325 99.8th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43939 is a high-severity Use of Non-Canonical URL Paths for Authorization Decisions (CWE-647) vulnerability in Hitachi Vantara Pentaho Business Analytics Server. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-24 (Access Control Decisions).

Deeper analysis

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including the 8.3.x branch, contain an authorization flaw in which security restrictions are enforced using non-canonical URL paths. The weakness, tracked as CVE-2022-43939 and assigned CWE-647, permits an unauthenticated network attacker to bypass intended access controls by supplying alternate URL representations that the server does not normalize before performing authorization decisions.

An attacker can therefore reach administrative or restricted endpoints that should be protected, resulting in partial confidentiality and integrity impacts together with high availability impact as reflected in the CVSS 8.6 vector. Public proof-of-concept material demonstrates that the bypass can be chained with server-side template injection to achieve remote code execution.

Vendor guidance published by Hitachi Vantara directs customers to upgrade to the fixed releases 9.4.0.1 or 9.3.0.2; the same advisory is referenced in CISA’s Known Exploited Vulnerabilities catalog, confirming that the issue has been observed in active exploitation campaigns. The associated EPSS score remains elevated near 0.93, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

CWE(s)
KEV Date Added
03 March 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hitachi
vantara pentaho business analytics server
9.4.0.0 · ≤ 9.3.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control decisions on canonical resource identifiers, blocking the non-canonical URL bypass that leads to authentication bypass and RCE.

prevent

Requires correct, consistent access-control decision logic that would reject the alternative URL representations exploited by CWE-647.

prevent

Mandates validation and normalization of URL input before authorization checks, preventing the crafted non-canonical paths used for the bypass.

References