cbcvebase.
CVE-2022-43769
published 2023-04-03

CVE-2022-43769: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values…

PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-03-24
Exploited in the wild
EPSS
97.67%
99.9th percentile
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

Affected

4 ranges
VendorProductVersion rangeFixed in
hitachivantara_pentaho_business_analytics_server
hitachivantara_pentaho_business_analytics_server>= 8.3.0.0 < 9.3.0.29.3.0.2
hitachi_vantarapentaho_business_analytics_server>= 1.0 < 9.3.0.29.3.0.2
hitachi_vantarapentaho_business_analytics_server>= 9.4.0.0 < 9.4.0.19.4.0.1

Detection & IOCsextracted from sources · hover to see the quote

url/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.net.InetAddress).getByName('{{interactsh-url}}')}&mgrDn=a&pwd=a
url/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{cmd}')}}&mgrDn=a&pwd=a
path/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js
othershodan:http.favicon.hash:1749354953
otherfofa:icon_hash=1749354953
  • Detect SSTI exploitation attempts by monitoring GET requests to /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js with a 'url' parameter containing Spring/Thymeleaf template expressions (e.g., #{T(java.lang...)})
  • The auth bypass (CVE-2022-43939) is triggered by URLs ending in '/' followed by 'require', optionally '-js' or '-cfg', any character, then 'js' — monitor for non-canonical URL patterns matching this regex against protected Pentaho endpoints
  • In HTTP responses from the vulnerable endpoint, a body of '{}' with a 200 status and 'application/json' content-type header containing 'Path=/pentaho' cookie indicates a successful auth bypass probe
  • For the SSTI RCE probe, a response body of 'false' with 'application/json' content-type header confirms successful template injection execution
  • Active exploitation observed from 15 malicious IPs between December 6, 2024 and February 28, 2025; top source countries are Singapore, Hong Kong, and United States — use GreyNoise tags for CVE-2022-43769 to identify and block scanning IPs
  • ·The exploit (CVE-2022-43769 + CVE-2022-43939 chained) only works on the Enterprise Edition of Pentaho BA Server; community edition behavior is untested
  • ·Unauthenticated RCE requires chaining both CVE-2022-43939 (auth bypass) and CVE-2022-43769 (SSTI); CVE-2022-43769 alone is rated PR:H (high privilege required) per CVSS

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.