PatchSiren cyber security CVE debrief
CVE-2022-43769 Hitachi Vantara CVE debrief
CVE-2022-43769 is a CISA Known Exploited Vulnerability affecting Hitachi Vantara Pentaho Business Analytics (BA) Server. The KEV record identifies it as a special element injection issue and points to vendor guidance for mitigation. Because CISA has flagged it for active exploitation, organizations running Pentaho BA Server should treat it as a high-priority remediation item, especially for versions noted by the vendor as impacted.
- Vendor
- Hitachi Vantara
- Product
- Pentaho Business Analytics (BA) Server
- CVSS
- Unknown
- CISA KEV
- Listed
- Original CVE published
- 2025-03-03
- Original CVE updated
- 2025-03-03
- Advisory published
- 2025-03-03
- Advisory updated
- 2025-03-03
Who should care
Administrators, security teams, and asset owners responsible for Hitachi Vantara Pentaho Business Analytics (BA) Server deployments—especially environments running versions before 9.4.0.1 and 9.3.0.2, including 8.3.x.
Technical summary
The available official records describe CVE-2022-43769 as a "Special Element Injection Vulnerability" in Hitachi Vantara Pentaho BA Server, with vendor guidance describing a failure to sanitize special elements into a different plane. CISA’s KEV catalog lists the vulnerability as known exploited and references vendor mitigation guidance. The source notes indicate affected versions before 9.4.0.1 and 9.3.0.2, including 8.3.x.
Defensive priority
High. This is a KEV-listed vulnerability, so it should be prioritized for expedited mitigation or removal from service if mitigation is not available.
Recommended defensive actions
- Confirm whether any Hitachi Vantara Pentaho Business Analytics (BA) Server instances are in use, including legacy or embedded deployments.
- Check installed versions against the vendor-referenced impacted range noted in the source record (before 9.4.0.1 and 9.3.0.2, including 8.3.x).
- Apply vendor-recommended mitigations from the official Hitachi Vantara support guidance referenced by CISA.
- If mitigation cannot be applied, discontinue use of the product on affected systems.
- Track remediation against CISA’s KEV due date (2025-03-24) and verify exposure is removed.
- Validate that internet-facing or externally reachable instances are remediated first.
- Document compensating controls and confirm they are actually enforced until the issue is closed.
Evidence notes
CISA’s Known Exploited Vulnerabilities catalog lists this CVE with vendorProject "Hitachi Vantara," product "Pentaho Business Analytics (BA) Server," and dateAdded 2025-03-03. The source metadata marks knownRansomwareCampaignUse as "Unknown" and states the required action: apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. The notes reference a Hitachi Vantara support article titled "Resolved - Pentaho BA Server Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)" and identify affected versions before 9.4.0.1 and 9.3.0.2, including 8.3.x. No CVSS score was supplied in the provided corpus.
Official resources
-
CVE-2022-43769 CVE record
CVE.org
-
CVE-2022-43769 NVD detail
NVD
-
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
-
Source item URL
cisa_kev
Public debrief based only on the supplied official sources and metadata. This write-up does not add unsupported exploit details or reproduction guidance.