Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information

Vulnerability

Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.0 and 9.3.0.2, including the 8.3.x series, are affected by an information disclosure vulnerability (CWE-209). When an invalid character is used within a Pentaho Report (.prpt), the server displays the full parametrized SQL query in the resulting error message [1].

Exploitation

An attacker must be able to supply a crafted Pentaho Report file (.prpt) that contains an invalid character. Upon processing this report, the server generates an error message that includes the complete parametrized SQL query. No authentication is explicitly required beyond the ability to trigger report execution [1].

Impact

The error message exposes the full SQL query, which may reveal database schema, query logic, and potentially sensitive information such as passwords or other data embedded in the query. An attacker can leverage this information to conduct more targeted attacks, including SQL injection (CWE-89) [1].

Mitigation

Hitachi Vantara recommends upgrading to Pentaho Business Analytics Server version 9.4.0.0 or later. For customers on version 9.3, updating to Service Pack 9.3.0.2 or above addresses the vulnerability. No workarounds are provided; users should also review the Pentaho End-of-Life policy to ensure they are on a supported version [1].