Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hitachi Vantara Pentaho BA Server logs cluster credentials in plaintext; fixed in 9.4.0.0 and 9.3.0.1.
Vulnerability
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin, expose the username and password of clusters in clear text into system logs [1]. This is an insertion of sensitive information into log files (CWE-532).
Exploitation
An attacker with access to system logs can retrieve plaintext credentials. No special privileges or user interaction is required beyond access to the log files where the information is written.
Impact
Successful exploitation allows the attacker to obtain cluster credentials, leading to unauthorized access to clustered resources and potential compromise of data confidentiality and integrity.
Mitigation
Upgrade to Pentaho version 9.4.0.0 or, for version 9.3, update to service pack 9.3.0.1 or later. Versions 8.3.x are impacted; check the Pentaho End-of-Life policy for support status [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.4.0.0, <9.3.0.1
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.