VDB
CVE-2022-43769
CVE-2022-43769
PUBLISHED
KEV
CVSS 8.800000190734863 HIGH
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
EPSS 93.98% · 99.9th percentile
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
93.98%
99.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| hitachi | vantara_pentaho_business_analytics_server | 9.4.0.0, 8.3.0.0 |
| Hitachi Vantara | Pentaho Business Analytics Server | 1.0, 9.4.0.0 |
Timeline
- Apr 3, 2023 CVE Published
- Apr 4, 2023 EPSS Score
- Apr 5, 2023 PoC Published
- Apr 13, 2023 EPSS Score
- May 11, 2023 PoC Published
- Jun 8, 2023 EPSS Score
- Jul 6, 2023 EPSS Score
- Jul 19, 2023 EPSS Score
- Aug 11, 2023 EPSS Score
- Aug 13, 2023 EPSS Score
- Sep 6, 2023 EPSS Score
- Sep 22, 2023 EPSS Score
References
- https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769- url
- http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43769 url
- https://nvd.nist.gov/vuln/detail/CVE-2022-43769 advisory