CVE-2022-43939 Scanner
CVE-2022-43939 Scanner - Unauthorized Admin Access vulnerability in Hitachi Vantara Pentaho Business Analytics Server
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
24 days 8 hours
Scan only one
URL
Toolbox
-
Hitachi Vantara Pentaho Business Analytics Server is a data analysis tool widely used in enterprise environments. It is designed to help organizations analyze data for better decision-making by providing capabilities ranging from reporting to predictive analysis. The software is used by analysts, data scientists, and business managers to gain insights from data and improve operations. By offering a seamless way to manage and interpret data, the software is a popular choice across various industries. The analytics server integrates with other business systems to provide real-time data analysis. It serves large enterprises with high data volume by supporting diverse data sources and customizable reports.
The vulnerability detected in Hitachi Vantara Pentaho Business Analytics Server allows attackers unauthorized admin access. This issue arises due to the use of non-canonical URLs that can bypass security restrictions. Since credentials are not required, this opens the system to exploitation by unauthorized entities. Critical operations that should be secure become vulnerable, posing a risk to sensitive data. The vulnerability affects specific server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. Users need to be aware of this flaw to mitigate potential risks.
Technically, the vulnerability involves the manipulation of URLs which does not adhere to canonical forms, allowing bypass of usual authorization checks. Attackers can leverage this by sending crafted HTTP requests to endpoints like '/pentaho/Login' and '/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js'. Successful exploitation provides a 200 OK response, indicating unauthorized access to restricted sections. The use of certain URL paths seems to omit standard authorization procedures. Consequently, they reveal sensitive functionalities without user verification. A positive detection implies a significant lapse in authorization schemas.
Exploit of this vulnerability leads to potential unauthorized data access, configuration changes, and administrative operations. Such exploitation can result in data theft, system manipulation, and significant operational disruptions. The business analytics server, a critical component in organizational IT infrastructure, when compromised, can lead to severe confidentiality, integrity, and availability risks. This could undermine trust in data accuracy and reliability, impacting business decisions. Users should address this vulnerability promptly to prevent adverse outcomes.
REFERENCES
- https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-
- https://nvd.nist.gov/vuln/detail/CVE-2022-43769
- https://research.aurainfosec.io/pentest/pentah0wnage/
