CVE-2022-43939 - Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

Hitachi Vantara | Pentaho Business Analytics (BA) Server

• Date Added:
• 2025-03-03

• Due Date:
• 2025-03-24

Vulnerability Name

Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

Description

Hitachi Vantara Pentaho BA Server contains a use of non-canonical URL paths for authorization decisions vulnerability that enables an attacker to bypass authorization.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939- ; https://nvd.nist.gov/vuln/detail/CVE-2022-43939

Latest Security News

U.K. ICO Investigates TikTok, Reddit, and Imgur Over Children's Data Protection Practices

The New Ransomware Groups Shaking Up 2025

Vo1d Botnet's Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries

Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks

Mozilla Updates Firefox Terms Again After Backlash Over Broad Data License Language

U.S. recovers $31 million stolen in 2021 Uranium Finance hack

Qilin ransomware claims attack at Lee Enterprises, leaks stolen data

Police arrests suspects tied to AI-generated CSAM distribution ring

Common Alerts

HighServer Side Code Injection - PHP Code Injection

MediumInsecure JSF ViewState

MediumWeb Cache Deception

MediumCSP: Wildcard Directive

HighSOAP Action Spoofing

MediumMultiple X-Frame-Options Header Entries

MediumJava Serialization Object

MediumAbsence of Anti-CSRF Tokens

InformationalRe-examine Cache-control Directives

MediumApplication Error Disclosure

Latest CVE List

CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability

CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability

CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability

CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability

CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability

CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability

CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability

CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability

CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability

Common CWEs

CWE-174 Double Decoding of the Same Data

CWE-589 Call to Non-ubiquitous API

CWE-625 Permissive Regular Expression

CWE-132 DEPRECATED: Miscalculated Null Termination

MediumCWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-590 Free of Memory not on the Heap

CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions

CWE-626 Null Byte Interaction Error (Poison Null Byte)

CWE-512 Spyware

CWE-216 DEPRECATED: Containment Errors (Container Errors)