Home / Vulnerabilities / CVE-2022-43769
HIGH SEVERITY
CVE-2022-43769 Hitachi Vantara · Pentaho Business Analytics (BA) Server

Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH
8.8 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation Likelihood

EPSS Prediction

93.98 %
Predictive Probability
Percentile Rank
99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Mar 03, 2025

Remediation Due

Mar 24, 2025

CISA Catalog Active

Threat Analysis

Hitachi Vantara Pentaho BA Server contains a special element injection vulnerability that allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.

Remediation Directive

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

External Intelligence

https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769

https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2022-43769