Lyrie
active-exploitation
ACTIVELY EXPLOITED3 sources verified·4 min read
By Lyrie Threat Intelligence·3/3/2025

What happened

CISA added CVE-2022-43939 to the Known Exploited Vulnerabilities (KEV) catalog for Hitachi Vantara Pentaho Business Analytics (BA) Server, citing an authorization bypass caused by use of non-canonical URL paths CISA KEV. The listing dates the addition to 2025-03-03 with a remediation due date of 2025-03-24 for U.S. Federal Civilian Executive Branch agencies CISA KEV. The NVD record confirms the issue as “use of non-canonical URL paths for authorization decisions” aligned with CWE-647, enabling access control bypass in Pentaho BA Server NVD CVE-2022-43939. MITRE’s CVE registry tracks the vulnerability under the same identifier and vendor/product scope MITRE CVE-2022-43939.

Why it matters

A canonicalization flaw in an analytics server is a straight shot to sensitive dashboards, data sources, schedules, and admin functions if auth checks can be sidestepped NVD CVE-2022-43939. KEV inclusion means exploitation has been observed in the wild and agencies are mandated to remediate by the specified due date CISA KEV. Enterprises should treat this as active-risk signal, not theoretical: KEV is a prioritized list for immediate action, not a CVE backlog CISA KEV.

Technical detail

Per NVD, the weakness is “use of non-canonical URL paths for authorization decisions,” mapped to CWE-647 NVD CVE-2022-43939. In practice, this class occurs when the application evaluates access control on the raw request path but the router/resource resolver uses a normalized or differently interpreted path, creating a mismatch an attacker can exploit NVD CVE-2022-43939. Variants include alternate encodings (e.g., percent-encoding), superfluous path segments, or case/separator ambiguities that the auth layer treats as different while the backend treats as equivalent NVD CVE-2022-43939.

Pentaho BA Server is the affected product according to the KEV entry, with the vulnerability enabling bypass of authorization checks CISA KEV. The CVE assignment maintained by MITRE confirms the vendor/project attribution (Hitachi Vantara / Pentaho BA Server) and provides the canonical identifier for tracking MITRE CVE-2022-43939. While specific exploit strings aren’t published in these records, the class of bug is typically low-complexity for automated probing and can be discovered by iterating encoded or obfuscated path forms against protected endpoints NVD CVE-2022-43939.

Defense

  • Patch/mitigate immediately per the KEV “Required Action,” and follow applicable BOD 22-01 guidance for cloud services where relevant CISA KEV.
  • If you must keep exposed services online pending remediation, place Pentaho behind a reverse proxy that performs strict URL normalization before the app sees the request (decode, collapse, and canonicalize). This neutralizes many non-canonical bypass attempts typical of CWE-647 issues NVD CVE-2022-43939.
  • Temporarily restrict external access to Pentaho BA Server to known management IPs/VPN while patching to reduce the exploitation window highlighted by the KEV listing CISA KEV.
  • Detection ideas (short-term):

- Hunt web logs for sequences where a 403/404 on a “clean” path is followed by a 200 on an encoded or odd-structured path to the same resource (canonicalization mismatch indicative of CWE-647) NVD CVE-2022-43939.

- Alert on spikes in percent-encoded segments, mixed separators, or redundant path elements directed at Pentaho routes post-KEV date, as exploitation is confirmed in the wild CISA KEV.

- Baseline legitimate admin/report paths and flag deviations that include unusual encodings or traversal-like artifacts in requests to protected resources NVD CVE-2022-43939.

Governance: Track this specific CVE in your vulnerability register to ensure the KEV due date is met, and document compensating controls if patching is deferred CISA KEV. Use the MITRE record for consistent ticketing/reference across teams and tools MITRE CVE-2022-43939.

Lyrie Verdict

CVE-2022-43939 is a classic normalization gap that offensive automation exploits by mutating URLs at scale; it’s trivial for an LLM-guided scanner to generate bypass variants until one lands NVD CVE-2022-43939. Lyrie ships machine-speed detectors that normalize every observed URL, compare it to the upstream application’s interpretation, and alert on divergence tied to Pentaho BA Server fingerprints—especially relevant now that CISA has confirmed active exploitation CISA KEV. We auto-prioritize assets exposing Pentaho, throttle-test canonicalization edge cases safely, and push targeted guardrails at the proxy layer while your teams patch, grounded in the authoritative CVE record MITRE CVE-2022-43939.

Lyrie Verdict

CVE-2022-43939 is a classic normalization gap that offensive automation exploits by mutating URLs at scale; it’s trivial for an LLM-guided scanner to generate bypass variants until one lands. Lyrie ships machine-speed detectors that normalize every observed URL, compare it to the upstream application’s interpretation, and alert on divergence tied to Pentaho BA Server fingerprints—especially relevant now that CISA has confirmed active exploitation. We auto-prioritize assets exposing Pentaho, throttle-test canonicalization edge cases safely, and push targeted guardrails at the proxy layer while your teams patch, grounded in the authoritative CVE record.

#hitachi-vantara#pentaho-business-analytics-ba-server#cisa-kev#exploited-itw#CISA KEV#CVE-2022-43939#Pentaho#Hitachi Vantara#Authorization Bypass#CWE-647

Validated sources

  1. [1]CISA Known Exploited Vulnerabilities Catalog
  2. [2]NVD entry
  3. [3]MITRE CVE record