U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): pentaho
There are 39 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2023-5617

Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.1.0.0 and 9.3.0.6, including 9.5.x and 8.3.x, display the version of Tomcat when a server error is encountered.

Published: February 28, 2024; 6:15:08 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-3517

Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.

Published: December 12, 2023; 6:15:07 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-2358

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. 

Published: September 27, 2023; 11:18:50 AM -0400
V3.1: 4.9 MEDIUM
V2.0:(not available)
CVE-2023-1158

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 

Published: May 24, 2023; 6:15:09 PM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-4815

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. 

Published: May 24, 2023; 6:15:09 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-43770

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.   

Published: April 11, 2023; 12:15:07 PM -0400
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2022-3695

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.   

Published: April 11, 2023; 12:15:07 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-4771

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2022-4770

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-4769

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 4.3 MEDIUM
V2.0:(not available)
CVE-2022-43941

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-43940

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-43939

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2022-43938

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. 

Published: April 03, 2023; 3:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-43772

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs. 

Published: April 03, 2023; 3:15:06 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-43771

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.  

Published: April 03, 2023; 3:15:06 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)
CVE-2022-3960

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. 

Published: April 03, 2023; 3:15:06 PM -0400
V3.1: 6.3 MEDIUM
V2.0:(not available)
CVE-2022-43773

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. 

Published: April 03, 2023; 2:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2022-43769

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream. 

Published: April 03, 2023; 2:15:07 PM -0400
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2021-45448

Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.  By using special elements such as ".." and "/" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system.

Published: November 02, 2022; 12:15:09 PM -0400
V3.1: 6.5 MEDIUM
V2.0:(not available)