Pentaho Business Analytics
by Hitachi
CVEs (38)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37361 | Cri | 0.64 | 9.9 | 0.00 | Feb 20, 2025 | The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without… | ||
| CVE-2024-5705 | Hig | 0.57 | 8.8 | 0.00 | Feb 19, 2025 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business… | ||
| CVE-2016-10701 | Hig | 0.57 | 8.8 | 0.01 | Nov 28, 2017 | In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application. | ||
| CVE-2024-37359 | Hig | 0.56 | 8.6 | 0.00 | Feb 19, 2025 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) Hitachi Vantara Pentaho Business Analytics… | ||
| CVE-2024-6697 | Med | 0.42 | 6.5 | 0.00 | Feb 20, 2025 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280) … | ||
| CVE-2024-37363 | Med | 0.42 | 6.5 | 0.00 | Feb 20, 2025 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an… | ||
| CVE-2025-0758 | Med | 0.40 | 6.1 | 0.00 | Apr 16, 2025 | Overview The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2,… | ||
| CVE-2025-24911 | Med | 0.32 | 4.9 | 0.00 | Apr 16, 2025 | Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is… | ||
| CVE-2025-24910 | Med | 0.32 | 4.9 | 0.00 | Apr 16, 2025 | Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is… | ||
| CVE-2024-6696 | Med | 0.32 | 4.9 | 0.00 | Feb 20, 2025 | The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control… | ||
| CVE-2025-24909 | Med | 0.29 | 4.4 | 0.00 | Apr 16, 2025 | Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics… | ||
| CVE-2025-0757 | Med | 0.29 | 4.4 | 0.00 | Apr 16, 2025 | Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics Server… | ||
| CVE-2024-37360 | Med | 0.29 | 4.4 | 0.00 | Feb 19, 2025 | Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a… | ||
| CVE-2022-43769 | 0.23 | — | 0.98 | KEV | Apr 3, 2023 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. | ||
| CVE-2022-43939 | 0.22 | — | 0.92 | KEV | Apr 3, 2023 | Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. | ||
| CVE-2021-34684 | 0.02 | — | 0.06 | Nov 8, 2021 | Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI. | |||
| CVE-2024-28984 | 0.00 | — | 0.00 | Jun 26, 2024 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface. | |||
| CVE-2024-28983 | 0.00 | — | 0.00 | Jun 26, 2024 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface. | |||
| CVE-2024-28982 | 0.00 | — | 0.00 | Jun 26, 2024 | Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference. | |||
| CVE-2023-2358 | 0.00 | — | 0.00 | Sep 26, 2023 | Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. |
- risk 0.64cvss 9.9epss 0.00
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without…
- risk 0.57cvss 8.8epss 0.00
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business…
- risk 0.57cvss 8.8epss 0.01
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
- risk 0.56cvss 8.6epss 0.00
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) Hitachi Vantara Pentaho Business Analytics…
- risk 0.42cvss 6.5epss 0.00
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280) …
- risk 0.42cvss 6.5epss 0.00
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an…
- risk 0.40cvss 6.1epss 0.00
Overview The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2,…
- risk 0.32cvss 4.9epss 0.00
Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is…
- risk 0.32cvss 4.9epss 0.00
Overview XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is…
- risk 0.32cvss 4.9epss 0.00
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control…
- risk 0.29cvss 4.4epss 0.00
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics…
- risk 0.29cvss 4.4epss 0.00
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Description Hitachi Vantara Pentaho Business Analytics Server…
- risk 0.29cvss 4.4epss 0.00
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a…
- risk 0.23cvss —epss 0.98
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
- risk 0.22cvss —epss 0.92
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
- CVE-2021-34684Nov 8, 2021risk 0.02cvss —epss 0.06
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
- CVE-2024-28984Jun 26, 2024risk 0.00cvss —epss 0.00
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
- CVE-2024-28983Jun 26, 2024risk 0.00cvss —epss 0.00
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
- CVE-2024-28982Jun 26, 2024risk 0.00cvss —epss 0.00
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
- CVE-2023-2358Sep 26, 2023risk 0.00cvss —epss 0.00
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
Page 1 of 2