CVE-2022-43769— Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CVSS 8.8 · High KEV EPSS 93.98% · P100 Updated Feb 26, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2022-43769

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

Source: NVD (National Vulnerability Database)

Vulnerability Description

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

输出中的特殊元素转义处理不恰当(注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

Hitachi Vantara Pentaho Business Analytics Server 代码注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Hitachi Vantara Pentaho Business Analytics Server是日本日立制作所（Hitachi）公司的一个现代数据混合、集成和业务分析平台。 Hitachi Vantara Pentaho Business Analytics Server 存在代码注入漏洞，该漏洞源于允许某些 Web 服务设置包含下游解释的 Spring 模板的属性值。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Hitachi Vantara	Pentaho Business Analytics Server	1.0 ~ 9.3.0.2	-

II. Public POCs for CVE-2022-43769

#	POC Description	Source Link	Shenlong Link
1	Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-43769.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2022-43769

请登录查看更多情报信息。

Same Patch Batch · Hitachi Vantara · 2023-04-03 · 9 CVEs total

CVE-2022-43773	8.8 HIGH	Hitachi Vantara Pentaho Business Analytics Server - Incorrect Permission Assignment for Cr
CVE-2022-43938	8.8 HIGH	Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives
CVE-2022-43939	8.6 HIGH	Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Aut
CVE-2022-43771	6.5 MEDIUM	Hitachi Vantara Pentaho Business Analytics Server - Improper Limitation of a Pathname to a
CVE-2022-3960	6.3 MEDIUM	Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives
CVE-2022-4771	5.4 MEDIUM	Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input Durin
CVE-2022-4769	4.3 MEDIUM	Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing
CVE-2022-4770	4.3 MEDIUM	Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing

IV. Related Vulnerabilities

Same product: Pentaho Business Analytics Server

Same vendor: Hitachi Vantara

Same weakness: CWE-74

V. Comments for CVE-2022-43769

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2022-43769— Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

I. Basic Information for CVE-2022-43769

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2022-43769

III. Intelligence Information for CVE-2022-43769

Same Patch Batch · Hitachi Vantara · 2023-04-03 · 9 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2022-43769

Leave a comment