Hitachi Vantara Pentaho vulnerabilities
16 known vulnerabilities affecting hitachi/vantara_pentaho.
Total CVEs
16
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH6MEDIUM9
Vulnerabilities
Page 1 of 1
CVE-2021-31602P1HIGHCVSS 7.5ExploitedPoC≤ 9.1.0.02021-11-08
CVE-2021-31602 [HIGH] CWE-287 CVE-2021-31602: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Ser
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file. The default configuration allows an unauthenticated
nvd
CVE-2021-34684P2CRITICALCVSS 9.8≤ 9.1.0.02021-11-08
CVE-2021-34684 [CRITICAL] CWE-89 CVE-2021-34684: Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arb
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
nvd
CVE-2021-31599P3HIGHCVSS 8.8≤ 9.1.0.02021-11-08
CVE-2021-31599 [HIGH] CWE-434 CVE-2021-31599: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Ser
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.
nvd
CVE-2021-34685P3HIGHCVSS 7.2≤ 9.1.0.02021-11-08
CVE-2021-34685 [HIGH] CWE-434 CVE-2021-34685: UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify upl
UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code execution).
nvd
CVE-2022-4815P3HIGHCVSS 8.8≥ 8.3.0.0, ≤ 8.3.0.252023-05-24
CVE-2022-4815 [HIGH] CWE-502 CVE-2022-4815: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.
nvd
CVE-2021-45447P3HIGHCVSS 7.5≥ 8.3.0.0, < 8.3.0.25≥ 9.2.0.0, < 9.2.0.22022-11-02
CVE-2021-45447 [HIGH] CWE-319 CVE-2021-45447: Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 wi
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and
8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.
The transmission of sensitive data in clear text allows unauthorized actors with access to the
network to sniff and obtain sensitive information that can be later used to gain
nvd
CVE-2021-45446P3HIGHCVSS 7.5≥ 8.3.0.0, < 8.3.0.25≥ 9.2.0.0, < 9.2.0.22022-11-02
CVE-2021-45446 [HIGH] CWE-548 CVE-2021-45446: A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and
A vulnerability in
Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and
8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located
inside the directory.
nvd
CVE-2021-45448P3MEDIUMCVSS 6.5≥ 8.3.0.0, < 8.3.0.25≥ 9.2.0.0, < 9.2.0.22022-11-02
CVE-2021-45448 [MEDIUM] CWE-22 CVE-2021-45448: Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer
Pentaho Business Analytics
Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho
Analyzer plugin exposes a service endpoint for templates which allows a
user-supplied path to access resources that are out of bounds.
The software uses external input to construct a pathname that is intended to identify a file or
directory that is located undernea
nvd
CVE-2021-31601P3MEDIUMCVSS 6.5≤ 9.1.0.02021-11-08
CVE-2021-31601 [MEDIUM] CVE-2021-31601: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Ser
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all databases connection details and credentials.
nvd
CVE-2020-24665P4MEDIUMCVSS 6.5≥ 7.0.0, < 7.1.0.25≥ 8.0.0, < 8.2.0.62021-01-29
CVE-2020-24665 [MEDIUM] CWE-776 CVE-2020-24665: The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion i
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, >= 8.3.0.0 GA
nvd
CVE-2020-24666P4MEDIUMCVSS 5.4≥ 7.0.0, < 9.1.0.12021-01-29
CVE-2020-24666 [MEDIUM] CWE-79 CVE-2020-24666: The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site script
The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1
nvd
CVE-2020-24669P4MEDIUMCVSS 5.4≥ 7.0.0, < 8.3.0.9≥ 9.0.0, < 9.0.0.12021-01-29
CVE-2020-24669 [MEDIUM] CWE-79 CVE-2020-24669: The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site
The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About this Report' section. Remediated in >= 8.3.0.9, >= 9.0.
nvd
CVE-2020-24670P4MEDIUMCVSS 5.4≥ 7.0.0, < 7.1.0.25≥ 8.0.0, < 8.2.0.62021-01-29
CVE-2020-24670 [MEDIUM] CWE-79 CVE-2020-24670: The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site sc
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'type' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA.
nvd
CVE-2020-24664P4MEDIUMCVSS 5.4≥ 7.0.0, < 7.1.0.25≥ 8.0.0, < 8.2.0.62021-01-29
CVE-2020-24664 [MEDIUM] CWE-79 CVE-2020-24664: The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site sc
The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0
nvd
CVE-2021-31600P4MEDIUMCVSS 4.3≤ 9.1.0.02021-11-08
CVE-2021-31600 [MEDIUM] CWE-552 CVE-2021-31600: An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Ser
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all valid usernames.
nvd
CVE-2023-1158P4MEDIUMCVSS 4.3≥ 8.3.0.0, ≤ 8.3.0.252023-05-24
CVE-2023-1158 [MEDIUM] CWE-863 CVE-2023-1158: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
nvd