Attacker Value
(1 user assessed)
Very High
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Add MITRE ATT&CK tactics and techniques that apply to this CVE.


Hitachi Vantara Pentaho Business Analytics Server versions before and, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. 

Add Assessment

  • Attacker Value
  • Exploitability
    Very High
Technical Analysis

This is an authentication bypass in Hitachi Vantara Pentaho Business Analytics Server versions before and, including 8.3.x due to the use of access checks which are done primarily through the applicationContext-spring-security.xml file. Within this file are various regexes which are used to control access to various pages, however the one that stands out is this one:

334 | <sec:intercept-url pattern="\A/[^\?]*(require)(-js)?(-cfg)?.js(\?.*)?\Z" access="Anonymous,Authenticated" />

This regex allows anonymous and authenticated access to any page that starts with a /, followed by any character other than ?, then the word require followed optionally by -js or -cfg, then any character, followed by js and then optionally a ? followed by any characters you like until the end of the line.

So following this we can formulate a few URLs that could bypass authentication:

  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require-cfg.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/require-js.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/requireBjs.js
  • /pentaho/api/ldap/config/ldapTreeNodeChildren/requireKjs.js?asdf=22&bbb=44&ccc=55

Whilst the article at where this was originally written up seems to suggest that only require.js is possible, we can see that this is not the case based on the regex above.

Combining this with CVE-2022-43769 as discussed at can lead to unauthenticated RCE as the user running the Hitachi Vantara Pentaho Business Analytics Server, which will typically be a privileged user such as a local administrator or local service account, which is where the real risk comes into play.

Given this context, it is highly recommended that this vulnerability be patched as soon as possible. If this was just an authentication bypass without the ability to perform anything useful, then we’d recommend patching it as part of your normal patch cycle, but given the ability to combine this with CVE-2022-43769, and the ease of exploitation of both vulnerabilities to get RCE on the server as an unauthenticated user, patching should be done as soon as possible as its likely these bugs will be exploited in the wild soon if they have not been so already.

General Information


  • Hitachi Vantara


  • Pentaho Business Analytics Server
Technical Analysis