CVE-2022-43939

What is Hitachi Vantara Pentaho BA Server?

Hitachi Vantara Pentaho Business Analytics (BA) Server is an enterprise business intelligence and data integration platform used for reporting, dashboarding, ETL pipelines, and data analytics. Pentaho deploys as a Java web application with a Spring-based framework and exposes a web interface for analytics management and administration. Authorization in Pentaho is enforced through URL-based access control rules that map URL path patterns to required roles. When the authorization system uses path pattern matching without properly normalizing the request URL first, attackers can use non-canonical URL representations to reach restricted endpoints while the authorization check sees only the public path pattern — a class of vulnerability known as authorization bypass via non-canonical URLs (CWE-647).

Overview

CVE-2022-43939 is an authorization bypass vulnerability (CWE-647) in Hitachi Vantara Pentaho BA Server where non-canonical URL paths — paths containing URL encoding, path traversal sequences, or alternate representations — bypass the server's authorization decision logic. An unauthenticated attacker can reach administrative or restricted endpoints by crafting a URL that satisfies the public path pattern checked by the authorization filter while routing to a protected endpoint at the servlet layer. Paired with CVE-2022-43769 (Spring template injection), CVE-2022-43939 enables fully unauthenticated remote code execution against all unpatched Pentaho BA Server installations. CISA added both CVEs together in March 2025.

Affected Versions

Technical Details

Authorization bypass via non-canonical URLs (CWE-647) occurs when a web application's access control layer makes authorization decisions based on the raw URL path string, but the URL is subsequently normalized or decoded by the underlying application server or routing layer before reaching the protected endpoint. The bypass:

1. Identify a protected endpoint — the target is an administrative function in Pentaho that requires authentication
2. Craft a non-canonical URL — represent the path using URL encoding (e.g., %2F for /), double encoding, path normalization sequences (e.g., ../), or alternate encodings that the authorization filter does not recognize as matching the protected path pattern
3. Submit the request unauthenticated — the authorization filter evaluates the non-canonical path against its ACL rules, finds no matching protected pattern, and allows the request through
4. Reach the protected endpoint — the application server normalizes the URL before routing, delivering the request to the actual protected endpoint as if authenticated

This bypass enables CVE-2022-43939 to serve as the authentication bypass stage for the companion CVE-2022-43769 (Spring template injection) exploit chain, transforming what would be an authenticated command injection into an unauthenticated one.

Discovery

CVE-2022-43939 and CVE-2022-43769 were published simultaneously in April 2023, covering the same affected version range, and added to CISA KEV simultaneously in March 2025. This concurrent treatment reflects that they were discovered and reported together as a paired pre-authentication RCE chain. The two-year gap between NVD publication and KEV addition indicates active exploitation in enterprise environments was confirmed well after the patch release.

Exploitation Context

The CVE-2022-43939 + CVE-2022-43769 chain against Pentaho BA Server is particularly concerning for enterprise and government environments where Pentaho is used as a centralized analytics platform:

• The chain requires no authentication and no special configuration to exploit — any accessible Pentaho BA Server below 9.4.0.1 or 9.3.0.2 is vulnerable
• Pentaho's access to enterprise data sources means server compromise exposes all connected database credentials
• The server process account often has elevated privileges to access data warehouse and reporting databases

The authorization bypass (CVE-2022-43939) is the entry point — without it, CVE-2022-43769 alone requires low-privilege authentication. Together they provide a network-accessible unauthenticated RCE with PR:N.

Remediation

1. Upgrade to Pentaho BA Server 9.4.0.1 or 9.3.0.2 — patches both CVE-2022-43939 and CVE-2022-43769; version 8.3.x users must upgrade to a supported 9.x branch.
2. Restrict network access — the Pentaho web interface should not be internet-accessible; place behind a VPN or restrict to administrative network segments.
3. Apply WAF rules for URL normalization — a web application firewall that normalizes and validates URL paths before forwarding to Pentaho can block non-canonical URL bypass attempts as a compensating control.
4. Monitor access logs for non-canonical URL patterns — look for requests with URL-encoded slashes, double-encoded characters, or path traversal sequences in the path that reach administrative endpoints.
5. Audit active sessions — review Pentaho audit logs for anomalous administrative activity indicating unauthorized access via this bypass.