CVE-2022-43769
Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
| CWE | CWE-74 |
| Vendor | hitachi vantara |
| Product | pentaho business analytics server |
| Published | Apr 3, 2023 |
| Last Updated | Oct 21, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for hitachi vantara pentaho business analytics server
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2022-43769.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Hitachi Vantara / Pentaho Business Analytics Server
1.0 < 9.3.0.2 9.4.0.0 < 9.4.0.1
References
support.pentaho.com: https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769- packetstormsecurity.com: http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-43769
Credits
Harry Withington, Aura Information Security