Hitachi Vantara Pentaho Business Analytics Server vulnerabilities
37 known vulnerabilities affecting hitachi_vantara/pentaho_business_analytics_server.
Total CVEs
37
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL2HIGH12MEDIUM23
Vulnerabilities
Page 1 of 2
CVE-2022-43939P1CRITICALCVSS 9.8KEVPoC≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43939 [CRITICAL] CWE-647 CVE-2022-43939: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
nvd
CVE-2022-43769P1HIGHCVSS 7.2KEVPoC≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43769 [HIGH] CWE-74 CVE-2022-43769: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
nvd
CVE-2022-43938P2HIGHCVSS 8.8≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43938 [HIGH] CWE-96 CVE-2022-43938: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.
nvd
CVE-2022-43773P2HIGHCVSS 8.8≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43773 [HIGH] CWE-732 CVE-2022-43773: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.
nvd
CVE-2024-37361P2CRITICALCVSS 9.9≥ 1.0, < 9.3.0.92025-02-20
CVE-2024-37361 [CRITICAL] CWE-502 CVE-2024-37361: The application deserializes untrusted data without sufficiently verifying that the resulting data w
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
When develope
nvd
CVE-2024-5706P2HIGHCVSS 8.8≥ 1.0, < 9.3.0.92025-02-19
CVE-2024-5706 [HIGH] CWE-99 CVE-2024-5706: The product receives input from an upstream component, but it does not restrict or incorrectly restr
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI
nvd
CVE-2024-5705P3HIGHCVSS 8.8≥ 1.0, < 9.3.0.92025-02-19
CVE-2024-5705 [HIGH] CWE-863 CVE-2024-5705: The product performs an authorization check when an actor attempts to access a resource or perform a
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules en
nvd
CVE-2022-43771P3MEDIUMCVSS 6.5≥ 1.0, < 9.3.0.12023-04-03
CVE-2022-43771 [MEDIUM] CWE-22 CVE-2022-43771: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.
nvd
CVE-2024-37359P3HIGHCVSS 8.6≥ 1.0, < 9.3.0.92025-02-19
CVE-2024-37359 [HIGH] CWE-918 CVE-2024-37359: The web server receives a URL or similar request from an upstream component and retrieves the conten
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the H
nvd
CVE-2022-43940P3HIGHCVSS 8.8≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43940 [HIGH] CWE-863 CVE-2022-43940: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.
nvd
CVE-2022-4815P3HIGHCVSS 8.8≥ 1.0, < 9.3.0.3≥ 9.4.0.0, < 9.4.0.12023-05-24
CVE-2022-4815 [HIGH] CWE-502 CVE-2022-4815: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.
nvd
CVE-2024-28982P3HIGHCVSS 8.2≥ 1.0, < 9.3.0.7≥ 8.3, < 10.1.0.02024-06-26
CVE-2024-28982 [HIGH] CWE-776 CVE-2024-28982: Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
nvd
CVE-2022-43770P3HIGHCVSS 8.1≥ 1.0, < 8.3.0.27≥ 9.0.0.0, < 9.2.0.42023-04-11
CVE-2022-43770 [HIGH] CWE-863 CVE-2022-43770: Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 doe
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
nvd
CVE-2021-45447P3HIGHCVSS 7.5≥ 9.0.0.0, < 9.2.0.2≥ 1.0, < 8.3.0.252022-11-02
CVE-2021-45447 [HIGH] CWE-319 CVE-2021-45447: Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 wi
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and
8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.
The transmission of sensitive data in clear text allows unauthorized actors with access to the
network to sniff and obtain sensitive information that can be later used to gain
nvd
CVE-2021-45446P3HIGHCVSS 7.5≥ 1.0, < 8.3.0.25≥ 9.0, < 9.2.0.22022-11-02
CVE-2021-45446 [HIGH] CWE-548 CVE-2021-45446: A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and
A vulnerability in
Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and
8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located
inside the directory.
nvd
CVE-2021-45448P3MEDIUMCVSS 6.5≥ 9.2, < 9.2.0.2≥ 1.0, < 8.3.0.252022-11-02
CVE-2021-45448 [MEDIUM] CWE-22 CVE-2021-45448: Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer
Pentaho Business Analytics
Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho
Analyzer plugin exposes a service endpoint for templates which allows a
user-supplied path to access resources that are out of bounds.
The software uses external input to construct a pathname that is intended to identify a file or
directory that is located undernea
nvd
CVE-2022-43941P3MEDIUMCVSS 6.5≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-43941 [MEDIUM] CWE-611 CVE-2022-43941: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.
nvd
CVE-2024-37363P3MEDIUMCVSS 6.5≥ 1.0, < 9.3.0.82025-02-20
CVE-2024-37363 [MEDIUM] CWE-862 CVE-2024-37363: The product does not perform an authorization check when an actor attempts to access a resource or p
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service.
When access control checks
nvd
CVE-2024-37362P3MEDIUMCVSS 6.3≥ 1.0, < 9.3.0.82025-02-20
CVE-2024-37362 [MEDIUM] CWE-522 CVE-2024-37362: The product transmits or stores authentication credentials, but it uses an insecure method that is s
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.
nvd
CVE-2022-43772P4MEDIUMCVSS 6.5≥ 1.0, < 9.3.0.12023-04-03
CVE-2022-43772 [MEDIUM] CWE-532 CVE-2022-43772: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.
nvd
1 / 2Next →