Hitachi Vantara Pentaho Business Analytics Server vulnerabilities
37 known vulnerabilities affecting hitachi_vantara/pentaho_business_analytics_server.
Total CVEs
37
CISA KEV
2
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL2HIGH12MEDIUM23
Vulnerabilities
Page 2 of 2
CVE-2024-6697P3MEDIUMCVSS 6.5≥ 1.0, < 9.3.0.92025-02-20
CVE-2024-6697 [MEDIUM] CWE-280 CVE-2024-6697: The product does not handle or incorrectly handles when it has insufficient privileges to access res
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.
nvd
CVE-2022-3960P4MEDIUMCVSS 6.3≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-3960 [MEDIUM] CWE-96 CVE-2022-3960: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.
nvd
CVE-2025-24910P4MEDIUMCVSS 4.9≥ 1.0, ≤ 9.3.*≥ 10.0, < 10.2.0.22025-04-16
CVE-2025-24910 [MEDIUM] CWE-611 CVE-2025-24910: Overview XML documents optionally contain a Document Type Definition (DTD), which, among ot
Overview
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application
nvd
CVE-2024-28983P4MEDIUMCVSS 6.1≥ 1.0, < 9.3.0.7≥ 8.3, < 10.1.0.02024-06-26
CVE-2024-28983 [MEDIUM] CWE-79 CVE-2024-28983: Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
nvd
CVE-2024-28984P4MEDIUMCVSS 6.1≥ 1.0, < 9.3.0.7≥ 8.3, < 10.1.0.02024-06-26
CVE-2024-28984 [MEDIUM] CWE-79 CVE-2024-28984: Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
nvd
CVE-2025-24911P4MEDIUMCVSS 4.9≥ 1.0, ≤ 9.3.*≥ 10.0, < 10.2.0.22025-04-16
CVE-2025-24911 [MEDIUM] CWE-611 CVE-2025-24911: Overview XML documents optionally contain a Document Type Definition (DTD), which, among ot
Overview
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application
nvd
CVE-2024-6696P4MEDIUMCVSS 4.9≥ 1.0, < 9.3.0.92025-02-20
CVE-2024-6696 [MEDIUM] CWE-1220 CVE-2024-6696: The product implements access controls via a policy or other feature with the intention to disable o
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the
nvd
CVE-2025-0758P4MEDIUMCVSS 6.1≥ 1.0, ≤ 9.3.*≥ 10.0, < 10.2.0.22025-04-16
CVE-2025-0758 [MEDIUM] CWE-732 CVE-2025-0758: Overview The product specifies permissions for a security-critical resource in a way that allows
Overview
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default.
nvd
CVE-2022-3695P4MEDIUMCVSS 6.1≥ 1.0, < 8.3.0.27≥ 9.0.0.0, < 9.2.0.42023-04-11
CVE-2022-3695 [MEDIUM] CWE-79 CVE-2022-3695: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 a
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
nvd
CVE-2022-4771P4MEDIUMCVSS 6.1≥ 1.0, < 9.3.0.2≥ 9.4.0.0, < 9.4.0.12023-04-03
CVE-2022-4771 [MEDIUM] CWE-79 CVE-2022-4771: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.
nvd
CVE-2023-2358P4MEDIUMCVSS 4.9≥ 1.0, < 9.3.0.5≥ 9.5.0.0, < 9.5.0.12023-09-27
CVE-2023-2358 [MEDIUM] CWE-257 CVE-2023-2358: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
nvd
CVE-2023-1158P4MEDIUMCVSS 4.3≥ 1.0, < 9.3.0.3≥ 9.4.0.0, < 9.4.0.12023-05-24
CVE-2023-1158 [MEDIUM] CWE-863 CVE-2023-1158: Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
nvd
CVE-2025-0757P4MEDIUMCVSS 4.4≥ 1.0, < 10.2.0.22025-04-16
CVE-2025-0757 [MEDIUM] CWE-79 CVE-2025-0757: Overview The software does not neutralize or incorrectly neutralize user-controllable input
Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content in
nvd
CVE-2025-24909P4MEDIUMCVSS 4.4≥ 1.0, ≤ 9.3.*≥ 10.0, < 10.2.0.22025-04-16
CVE-2025-24909 [MEDIUM] CWE-79 CVE-2025-24909: Overview The software does not neutralize or incorrectly neutralize user-controllable input
Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content
nvd
CVE-2022-4769P4MEDIUMCVSS 4.3≥ 1.0, < 9.3.0.22023-04-03
CVE-2022-4769 [MEDIUM] CWE-209 CVE-2022-4769: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.
nvd
CVE-2024-37360P4MEDIUMCVSS 4.4≥ 1.0, < 9.3.0.92025-02-19
CVE-2024-37360 [MEDIUM] CWE-79 CVE-2024-37360: Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Hitachi Vantara Pentaho B
nvd
CVE-2022-4770P4MEDIUMCVSS 4.3≥ 1.0, < 9.3.0.22023-04-03
CVE-2022-4770 [MEDIUM] CWE-209 CVE-2022-4770: Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).
nvd
← Previous2 / 2