Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions
CVE-2022-43939

8.6HIGH

Key Information:

Vendor: Hitachi
Status: Pentaho Business Analytics Server
Vendor: CVE Published:; 3 April 2023

Summary

The Hitachi Vantara Pentaho Business Analytics Server is affected by a vulnerability that allows an attacker to bypass security restrictions through non-canonical URLs. This flaw impacts versions prior to 9.4.0.1, 9.3.0.2, and includes the 8.3.x series, potentially allowing unauthorized access to sensitive functionalities within the analytics platform. Corrective measures are necessary to prevent exploitation and secure the server against unauthorized access.

Affected Version(s)

Pentaho Business Analytics Server 1.0 < 9.3.0.2

Pentaho Business Analytics Server 9.4.0.0 < 9.4.0.1

References

https://support.pentaho.com/hc/en-us/articles/14455394120...

http://packetstormsecurity.com/files/172296/Pentaho-Busin...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 3, 2023
Vulnerability Reserved
Oct 26, 2022

Credit

Harry Withington, Aura Information Security