Vulnerabilites related to Hitachi Vantara - Pentaho Business Analytics Server
cve-2022-43773
Vulnerability from cvelistv5
Published
2023-04-03 17:59
Modified
2025-02-11 14:30
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.246Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14453135249165--Resolved-Pentaho-BA-Server-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43773-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43773", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:30:06.737568Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:30:10.315Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled. \n\n", }, ], impacts: [ { capecId: "CAPEC-180", descriptions: [ { lang: "en", value: "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-732", description: "CWE-732 Incorrect Permission Assignment for Critical Resource", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T17:59:17.255Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14453135249165--Resolved-Pentaho-BA-Server-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43773-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Permission Assignment for Critical Resource ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43773", datePublished: "2023-04-03T17:59:17.255Z", dateReserved: "2022-10-26T12:55:14.327Z", dateUpdated: "2025-02-11T14:30:10.315Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28983
Vulnerability from cvelistv5
Published
2024-06-26 22:40
Modified
2024-09-11 23:40
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 8.3 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28983", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-27T14:48:05.798742Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-27T14:48:13.210Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.428Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.7", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "10.1.0.0", status: "affected", version: "8.3", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Yesenia Trejo - Strike Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-11T23:40:00.607Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/27569257123725-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28983", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-28983", datePublished: "2024-06-26T22:40:15.645Z", dateReserved: "2024-03-13T19:18:14.913Z", dateUpdated: "2024-09-11T23:40:00.607Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-37359
Vulnerability from cvelistv5
Published
2025-02-19 22:58
Modified
2025-02-20 20:54
Severity ?
EPSS score ?
Summary
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37359", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T20:53:56.371593Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T20:54:18.244Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p>The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) </p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.</span></p></div>\n\n<br>", }, ], value: "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) \n\n\n\n \n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.\n\n\n\n \n\n\n\nBy providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.", }, ], impacts: [ { capecId: "CAPEC-664", descriptions: [ { lang: "en", value: "CAPEC-664 Server Side Request Forgery", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918 Server-Side Request Forgery (SSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T22:58:57.599Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296789835917--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Server-Side-Request-Forgery-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37359", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server – Server Side Request Forgery", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-37359", datePublished: "2025-02-19T22:58:57.599Z", dateReserved: "2024-06-06T15:36:41.049Z", dateUpdated: "2025-02-20T20:54:18.244Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4815
Vulnerability from cvelistv5
Published
2023-05-24 21:30
Modified
2025-01-16 15:29
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:48:40.490Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455879270285-IMPORTANT-Resolved-Pentaho-BA-Server-Deserialization-of-Untrusted-Data-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2022-4815-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-4815", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-01-16T15:27:59.972133Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-16T15:29:21.796Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.3", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Clarence Liau", }, { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. \n\n", }, ], impacts: [ { capecId: "CAPEC-586", descriptions: [ { lang: "en", value: "CAPEC-586 Object Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-24T21:30:37.243Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455879270285-IMPORTANT-Resolved-Pentaho-BA-Server-Deserialization-of-Untrusted-Data-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2022-4815-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-4815", datePublished: "2023-05-24T21:30:37.243Z", dateReserved: "2022-12-28T14:37:02.021Z", dateUpdated: "2025-01-16T15:29:21.796Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43771
Vulnerability from cvelistv5
Published
2023-04-03 18:40
Modified
2025-02-11 14:40
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.238Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455007818509--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Limitation-of-a-Pathname-to-a-Restricted-Directory-Path-Traversal-Versions-before-9-4-0-0-and-9-3-0-1-including-8-3-x-Impacted-CVE-2022-43771-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43771", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:40:24.022712Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:40:28.479Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Data Access Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.1", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds. </span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds. \n\n", }, ], impacts: [ { capecId: "CAPEC-139", descriptions: [ { lang: "en", value: "CAPEC-139 Relative Path Traversal", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:40:01.396Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455007818509--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Limitation-of-a-Pathname-to-a-Restricted-Directory-Path-Traversal-Versions-before-9-4-0-0-and-9-3-0-1-including-8-3-x-Impacted-CVE-2022-43771-", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43771", datePublished: "2023-04-03T18:40:01.396Z", dateReserved: "2022-10-26T12:55:14.327Z", dateUpdated: "2025-02-11T14:40:28.479Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28982
Vulnerability from cvelistv5
Published
2024-06-26 22:37
Modified
2024-09-11 23:39
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 8.3 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:hitachi_vantara:pentaho_business_analytics_server:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "pentaho_business_analytics_server", vendor: "hitachi_vantara", versions: [ { lessThan: "9.3.0.7", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "10.1.0.0", status: "affected", version: "8.3", versionType: "maven", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-28982", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-09T19:05:59.725032Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-09T19:15:50.518Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.450Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Pentaho User Console", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.7", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "10.1.0.0", status: "affected", version: "8.3", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Yesenia Trejo - Strike Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.", }, ], impacts: [ { capecId: "CAPEC-197", descriptions: [ { lang: "en", value: "CAPEC-197 Exponential Data Expansion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-776", description: "CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-11T23:39:29.658Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-28982", datePublished: "2024-06-26T22:37:01.285Z", dateReserved: "2024-03-13T19:18:14.913Z", dateUpdated: "2024-09-11T23:39:29.658Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-6696
Vulnerability from cvelistv5
Published
2025-02-19 23:29
Modified
2025-02-20 17:21
Severity ?
EPSS score ?
Summary
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-6696", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:20:51.315877Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:21:02.881Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p>The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220)<span style=\"background-color: var(--wht);\"> </span></p><p><span style=\"background-color: var(--wht);\"><br></span></p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content</span></p><p><span style=\"background-color: var(--wht);\"><br></span></p></div><div><p> <span style=\"background-color: var(--wht);\">An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.</span><br></p></div>", }, ], value: "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220) \n\n\n\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content\n\n\n\n\n\n\n An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.", }, ], impacts: [ { capecId: "CAPEC-180", descriptions: [ { lang: "en", value: "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1220", description: "CWE-1220: Insufficient Granularity of Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T23:29:43.131Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296877157517--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insufficient-Granularity-of-Access-Control-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6696", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Insufficient Granularity of Access Control", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-6696", datePublished: "2025-02-19T23:29:43.131Z", dateReserved: "2024-07-11T15:18:00.286Z", dateUpdated: "2025-02-20T17:21:02.881Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28984
Vulnerability from cvelistv5
Published
2024-06-26 22:41
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 8.3 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28984", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-06-28T19:45:24.153443Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-02T14:28:53.324Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.332Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/27569319605901-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28984", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.7", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "10.1.0.0", status: "affected", version: "8.3", versionType: "maven", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<div><p>Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface. </p></div><div><p> </p></div>\n\n", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-26T22:41:57.450Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/27569319605901-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28984", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-28984", datePublished: "2024-06-26T22:41:57.450Z", dateReserved: "2024-03-13T19:18:14.913Z", dateUpdated: "2024-08-02T01:03:51.332Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-45446
Vulnerability from cvelistv5
Published
2022-11-02 14:26
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
A vulnerability in
Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and
8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located
inside the directory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:39:20.999Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/6744813983501", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "8.3.0.25", status: "affected", version: "1.0", versionType: "ALL", }, { lessThan: "9.2.0.2", status: "affected", version: "9.0", versionType: "ALL", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "A vulnerability in \n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and \n8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located \ninside the directory. \n\n<br>", }, ], value: "A vulnerability in \n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and \n8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located \ninside the directory. \n\n\n", }, ], impacts: [ { descriptions: [ { lang: "en", value: "A directory listing provides an attacker with the complete index of all the resources located inside of the directory. The specific risks and consequences vary depending on which files are listed and accessible.", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-548", description: "CWE-548", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-02T14:26:02.105Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/6744813983501", }, ], source: { discovery: "UNKNOWN", }, title: " Pentaho Business Analytics Server - Exposure of Information Through Directory Listing", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2021-45446", datePublished: "2022-11-02T14:26:02.105Z", dateReserved: "2021-12-21T05:57:40.703Z", dateUpdated: "2024-08-04T04:39:20.999Z", requesterUserId: "520cc88b-a1c8-44f6-9154-21a4d74c769f", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4770
Vulnerability from cvelistv5
Published
2023-04-03 18:56
Modified
2025-02-11 14:28
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:48:40.442Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455209015949--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4770-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-4770", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:28:31.759410Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:28:35.632Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). \n\n", }, ], impacts: [ { capecId: "CAPEC-54", descriptions: [ { lang: "en", value: "CAPEC-54 Query System for Information", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-209", description: "CWE-209 Generation of Error Message Containing Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:56:17.800Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455209015949--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4770-", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-4770", datePublished: "2023-04-03T18:56:17.800Z", dateReserved: "2022-12-27T22:39:50.860Z", dateUpdated: "2025-02-11T14:28:35.632Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-1158
Vulnerability from cvelistv5
Published
2023-05-24 21:26
Modified
2025-01-16 15:30
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:40:57.915Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-1158", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-01-16T15:30:07.236184Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-01-16T15:30:17.683Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Dashboard Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.3", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. \n\n", }, ], impacts: [ { capecId: "CAPEC-180", descriptions: [ { lang: "en", value: "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-24T21:26:53.129Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158-", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2023-1158", datePublished: "2023-05-24T21:26:53.129Z", dateReserved: "2023-03-02T19:24:26.670Z", dateUpdated: "2025-01-16T15:30:17.683Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43938
Vulnerability from cvelistv5
Published
2023-04-03 18:06
Modified
2025-02-11 14:41
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.881Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14454630725645--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43938-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43938", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:41:50.733770Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:41:56.280Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. \n\n", }, ], impacts: [ { capecId: "CAPEC-242", descriptions: [ { lang: "en", value: "CAPEC-242 Code Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-96", description: "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:06:54.133Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14454630725645--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43938-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43938", datePublished: "2023-04-03T18:06:54.133Z", dateReserved: "2022-10-26T21:25:26.141Z", dateUpdated: "2025-02-11T14:41:56.280Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-37363
Vulnerability from cvelistv5
Published
2025-02-19 23:40
Modified
2025-02-20 17:23
Severity ?
EPSS score ?
Summary
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service.
When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37363", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:23:10.875787Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:23:30.526Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.8", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p><span style=\"background-color: var(--wht);\">The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)</span></p><p><span style=\"background-color: var(--wht);\"><br></span></p></div><div><p><span style=\"background-color: var(--wht);\"> </span><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service.</span></p></div><div><p><br></p></div><div><p>When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service. </p></div>", }, ], value: "The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)\n\n\n\n\n\n\n Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service.\n\n\n\n\n\n\n\n\nWhen access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-862", description: "CWE-862 Missing Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T23:40:10.095Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296230504589--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Authorization-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37363", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-37363", datePublished: "2025-02-19T23:40:10.095Z", dateReserved: "2024-06-06T15:36:41.050Z", dateUpdated: "2025-02-20T17:23:30.526Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-5706
Vulnerability from cvelistv5
Published
2025-02-19 22:49
Modified
2025-02-20 21:33
Severity ?
EPSS score ?
Summary
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources.
An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-5706", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T21:33:40.324290Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T21:33:54.478Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Community Dashboard Framework", ], product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", modules: [ "Community Dashboard Framework", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "tuo4n8 & thongvv (GE) from VNG Security Response Center", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p><span style=\"background-color: var(--wht);\">The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99)</span><span style=\"background-color: var(--wht);\"> </span></p><p><span style=\"background-color: var(--wht);\"><br></span></p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources.</span><span style=\"background-color: var(--wht);\"> </span></p><p><span style=\"background-color: var(--wht);\"><br></span></p></div><div><p><br><span style=\"background-color: var(--wht);\">An attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.</span></p></div>", }, ], value: "The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) \n\n\n\n\n\n\nHitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. \n\n\n\n\n\n\n\nAn attacker could gain access to or modify sensitive data or system resources. This could allow access to protected files or directories including configuration files and files containing sensitive information, which can lead to remote code execution by unauthorized users.", }, ], impacts: [ { capecId: "CAPEC-240", descriptions: [ { lang: "en", value: "CAPEC-240 Resource Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-99", description: "CWE-99: Improper Control of Resource Identifiers ('Resource Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T22:50:55.584Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296195570189--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5706", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-5706", datePublished: "2025-02-19T22:49:46.583Z", dateReserved: "2024-06-06T17:25:33.384Z", dateUpdated: "2025-02-20T21:33:54.478Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-45447
Vulnerability from cvelistv5
Published
2022-11-02 14:56
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and
8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.
The transmission of sensitive data in clear text allows unauthorized actors with access to the
network to sniff and obtain sensitive information that can be later used to gain unauthorized
access.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 9.0.0.0 Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:39:20.773Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/6744504393101", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.2.0.2", status: "affected", version: "9.0.0.0", versionType: "All", }, { lessThan: "8.3.0.25", status: "affected", version: "1.0", versionType: "All", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. \n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and \n8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. \n\nThe transmission of sensitive data in clear text allows unauthorized actors with access to the \nnetwork to sniff and obtain sensitive information that can be later used to gain unauthorized \naccess.\n\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-319", description: "CWE-319 Cleartext Transmission of Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-02T14:56:03.090Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/6744504393101", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version<br>", }, ], value: "\nThe defect may be mitigated now by disabling the Data Lineage feature or updating to a patched version\n", }, ], source: { discovery: "UNKNOWN", }, title: " Pentaho Business Analytics Server - With the Data Lineage feature enabled, the system transmits database passwords in clear text", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2021-45447", datePublished: "2022-11-02T14:56:01.585Z", dateReserved: "2021-12-21T05:57:40.703Z", dateUpdated: "2024-08-04T04:39:20.773Z", requesterUserId: "520cc88b-a1c8-44f6-9154-21a4d74c769f", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3695
Vulnerability from cvelistv5
Published
2023-04-11 15:45
Modified
2025-02-07 15:53
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.0.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:14:03.359Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14739451011981", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-3695", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T15:53:31.395131Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-07T15:53:35.374Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Community Dashboard Editor", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "8.3.0.27", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.2.0.4", status: "affected", version: "9.0.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. </span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \n\n", }, ], impacts: [ { capecId: "CAPEC-592", descriptions: [ { lang: "en", value: "CAPEC-592 Stored XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T15:45:03.366Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14739451011981", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-3695", datePublished: "2023-04-11T15:45:03.366Z", dateReserved: "2022-10-26T12:51:27.046Z", dateUpdated: "2025-02-07T15:53:35.374Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-2358
Vulnerability from cvelistv5
Published
2023-09-26 21:34
Modified
2024-09-23 20:24
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.5.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T06:19:14.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/19668208622221", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-2358", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-23T20:23:19.372778Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-23T20:24:01.836Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.5", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.5.0.1", status: "affected", version: "9.5.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara </span><span style=\"background-color: rgb(255, 255, 255);\">Pentaho Business Analytics Server</span><span style=\"background-color: rgb(255, 255, 255);\"> prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. \n\n", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-257", description: "CWE-257 ", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-26T21:34:06.878Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/19668208622221", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server – Password Stored in a Recoverable Format ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2023-2358", datePublished: "2023-09-26T21:34:06.878Z", dateReserved: "2023-04-27T19:02:38.693Z", dateUpdated: "2024-09-23T20:24:01.836Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-37361
Vulnerability from cvelistv5
Published
2025-02-19 23:25
Modified
2025-02-20 17:21
Severity ?
EPSS score ?
Summary
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37361", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:21:19.314996Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:21:31.689Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Interactive Reporting", ], product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", modules: [ "Interactive Reporting", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Timo Müller & Hans-Martin Münch - MOGWAI LABS GmbH", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p><span style=\"background-color: var(--wht);\">The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">When developers place no restrictions on \"gadget chains,\" or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.</span></p></div>", }, ], value: "The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)\n\n\n\n \n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.\n\n\n\n \n\n\n\nWhen developers place no restrictions on \"gadget chains,\" or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.", }, ], impacts: [ { capecId: "CAPEC-586", descriptions: [ { lang: "en", value: "CAPEC-586 Object Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-20T15:07:23.159Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-37361", datePublished: "2025-02-19T23:25:33.256Z", dateReserved: "2024-06-06T15:36:41.050Z", dateUpdated: "2025-02-20T17:21:31.689Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4771
Vulnerability from cvelistv5
Published
2023-04-03 18:58
Modified
2025-02-11 14:28
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:48:40.437Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455436088717--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4771-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-4771", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:28:17.169825Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:28:21.236Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. \n\n", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:58:44.148Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455436088717--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4771-", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-4771", datePublished: "2023-04-03T18:58:44.148Z", dateReserved: "2022-12-27T22:39:54.028Z", dateUpdated: "2025-02-11T14:28:21.236Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-45448
Vulnerability from cvelistv5
Published
2022-11-02 15:12
Modified
2024-08-04 04:39
Severity ?
EPSS score ?
Summary
Pentaho Business Analytics
Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho
Analyzer plugin exposes a service endpoint for templates which allows a
user-supplied path to access resources that are out of bounds.
The software uses external input to construct a pathname that is intended to identify a file or
directory that is located underneath a restricted parent directory, but the software does not
properly neutralize special elements within the pathname that can cause the pathname to
resolve to a location that is outside of the restricted directory. By using special elements such as
".." and "/" separators, attackers can escape outside of the restricted
location to access files or directories that are elsewhere on the
system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 9.2 Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T04:39:21.052Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/6744743458701", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Pentaho Analyzer plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.2.0.2", status: "affected", version: "9.2", versionType: "ALL", }, { lessThan: "8.3.0.25", status: "affected", version: "1.0", versionType: "All", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n<p>Pentaho Business Analytics\n Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho \nAnalyzer plugin exposes a service endpoint for templates which allows a \nuser-supplied path to access resources that are out of bounds. \n\nThe software uses external input to construct a pathname that is intended to identify a file or \ndirectory that is located underneath a restricted parent directory, but the software does not \nproperly neutralize special elements within the pathname that can cause the pathname to \nresolve to a location that is outside of the restricted directory. <span style=\"background-color: var(--wht);\"> By using special elements such as \n\"..\" and \"/\" separators, attackers can escape outside of the restricted \nlocation to access files or directories that are elsewhere on the \nsystem.</span></p>\n\n", }, ], value: "Pentaho Business Analytics\n Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho \nAnalyzer plugin exposes a service endpoint for templates which allows a \nuser-supplied path to access resources that are out of bounds. \n\nThe software uses external input to construct a pathname that is intended to identify a file or \ndirectory that is located underneath a restricted parent directory, but the software does not \nproperly neutralize special elements within the pathname that can cause the pathname to \nresolve to a location that is outside of the restricted directory. By using special elements such as \n\"..\" and \"/\" separators, attackers can escape outside of the restricted \nlocation to access files or directories that are elsewhere on the \nsystem.\n\n\n\n", }, ], impacts: [ { descriptions: [ { lang: "en", value: "Many file operations are intended to take place within a restricted directory. By using special elements such as \"..\" and \"/\" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-02T15:12:25.164Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/6744743458701", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n\nThe defect may be mitigated either by uninstalling the Pentaho Analyzer plugin or upgrading to the latest Hitachi Vantara Pentaho version \n9.3 release. For versions 9.2 and 8.3 we recommend updating to Service \nPacks 9.2.0.2/8.3.0.25 or above where this vulnerability is addressed. \n\n<br>", }, ], value: "\n\nThe defect may be mitigated either by uninstalling the Pentaho Analyzer plugin or upgrading to the latest Hitachi Vantara Pentaho version \n9.3 release. For versions 9.2 and 8.3 we recommend updating to Service \nPacks 9.2.0.2/8.3.0.25 or above where this vulnerability is addressed. \n\n\n", }, ], source: { discovery: "UNKNOWN", }, title: "Pentaho Business Analytics Server - Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user supplied path to access resources that are out of bounds.", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2021-45448", datePublished: "2022-11-02T15:12:25.164Z", dateReserved: "2021-12-21T05:57:40.703Z", dateUpdated: "2024-08-04T04:39:21.052Z", requesterUserId: "520cc88b-a1c8-44f6-9154-21a4d74c769f", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-37360
Vulnerability from cvelistv5
Published
2025-02-19 23:01
Modified
2025-02-20 17:22
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37360", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:21:56.788347Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:22:08.769Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p>Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') </p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.</span></p></div><div><p> </p></div><div><p><br><span style=\"background-color: var(--wht);\">Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.</span></p></div>", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') \n\n\n\n \n\n\n\nThe software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)\n\n\n\n \n\n\n\nHitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.\n\n\n\n \n\n\n\n\nOnce the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T23:01:41.632Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-CVE-2024-37360", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-37360", datePublished: "2025-02-19T23:01:41.632Z", dateReserved: "2024-06-06T15:36:41.049Z", dateUpdated: "2025-02-20T17:22:08.769Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43941
Vulnerability from cvelistv5
Published
2023-04-03 18:44
Modified
2025-02-11 14:29
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.714Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14456719346957--Resolved-Pentaho-BA-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-43941-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43941", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:29:46.037849Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:29:51.364Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Data Access Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara ", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. \n\n", }, ], impacts: [ { capecId: "CAPEC-201", descriptions: [ { lang: "en", value: "CAPEC-201 XML Entity Linking", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-611", description: "CWE-611 Improper Restriction of XML External Entity Reference", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:44:41.398Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14456719346957--Resolved-Pentaho-BA-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-43941-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43941", datePublished: "2023-04-03T18:44:41.398Z", dateReserved: "2022-10-26T21:25:26.142Z", dateUpdated: "2025-02-11T14:29:51.364Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43769
Vulnerability from cvelistv5
Published
2023-04-03 17:47
Modified
2025-03-03 20:14
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.548Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43769", options: [ { Exploitation: "active", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-03-03T20:12:14.774536Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2025-03-03", reference: "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2025-03-03T20:14:14.063Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, timeline: [ { lang: "en", time: "2025-03-03T00:00:00+00:00", value: "CVE-2022-43769 added to CISA KEV", }, ], title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.", }, ], impacts: [ { capecId: "CAPEC-35", descriptions: [ { lang: "en", value: "CAPEC-35 Leverage Executable Code in Non-Executable Files", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-74", description: "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-11T17:06:43.739Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455561548301--Resolved-Pentaho-BA-Server-Failure-to-Sanitize-Special-Elements-into-a-Different-Plane-Special-Element-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43769-", }, { url: "http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43769", datePublished: "2023-04-03T17:47:45.737Z", dateReserved: "2022-10-26T12:55:14.326Z", dateUpdated: "2025-03-03T20:14:14.063Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4769
Vulnerability from cvelistv5
Published
2023-04-03 18:53
Modified
2025-02-11 14:28
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:48:40.579Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14452244712589--Resolved-Pentaho-BA-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4769-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-4769", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:28:48.854618Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:28:52.915Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. \n\n", }, ], impacts: [ { capecId: "CAPEC-54", descriptions: [ { lang: "en", value: "CAPEC-54 Query System for Information", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-209", description: "CWE-209 Generation of Error Message Containing Sensitive Information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:53:51.840Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14452244712589--Resolved-Pentaho-BA-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4769-", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-4769", datePublished: "2023-04-03T18:53:51.840Z", dateReserved: "2022-12-27T22:39:48.698Z", dateUpdated: "2025-02-11T14:28:52.915Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-37362
Vulnerability from cvelistv5
Published
2025-02-19 23:34
Modified
2025-02-20 17:23
Severity ?
EPSS score ?
Summary
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.
Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37362", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:23:16.610950Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:23:41.440Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.8", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p>The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) </p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.</span></p></div>", }, ], value: "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) \n\n\n\n \n\n\n\nHitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.\n\n\n\n \n\n\n\nProducts must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.", }, ], impacts: [ { capecId: "CAPEC-117", descriptions: [ { lang: "en", value: "CAPEC-117 Interception", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-522", description: "CWE-522 Insufficiently Protected Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T23:34:29.558Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296552220941--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37362", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-37362", datePublished: "2025-02-19T23:34:29.558Z", dateReserved: "2024-06-06T15:36:41.050Z", dateUpdated: "2025-02-20T17:23:41.440Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43939
Vulnerability from cvelistv5
Published
2023-04-03 18:10
Modified
2025-03-03 20:14
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.721Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43939", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-03T20:12:20.089787Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2025-03-03", reference: "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2025-03-03T20:14:14.212Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, timeline: [ { lang: "en", time: "2025-03-03T00:00:00+00:00", value: "CVE-2022-43939 added to CISA KEV", }, ], title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>", }, ], value: "Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.", }, ], impacts: [ { capecId: "CAPEC-3", descriptions: [ { lang: "en", value: "CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-647", description: "CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-05-11T17:06:45.071Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14455394120333--Resolved-Pentaho-BA-Server-Use-of-Non-Canonical-URL-Paths-for-Authorization-Decisions-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43939-", }, { url: "http://packetstormsecurity.com/files/172296/Pentaho-Business-Server-Authentication-Bypass-SSTI-Code-Execution.html", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43939", datePublished: "2023-04-03T18:10:32.141Z", dateReserved: "2022-10-26T21:25:26.142Z", dateUpdated: "2025-03-03T20:14:14.212Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-6697
Vulnerability from cvelistv5
Published
2025-02-19 23:32
Modified
2025-02-20 17:23
Severity ?
EPSS score ?
Summary
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.
An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-6697", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T17:23:21.950806Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T17:23:54.281Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p><span style=\"background-color: var(--wht);\">The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.</span></p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\">An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.</span></p></div>", }, ], value: "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n \n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n \n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.", }, ], impacts: [ { capecId: "CAPEC-212", descriptions: [ { lang: "en", value: "CAPEC-212 Functionality Misuse", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-280", description: "CWE-280: Improper Handling of Insufficient Permissions or Privileges", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T23:32:18.713Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Handling of Insufficient Permissions or Privileges", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-6697", datePublished: "2025-02-19T23:32:18.713Z", dateReserved: "2024-07-11T15:18:02.001Z", dateUpdated: "2025-02-20T17:23:54.281Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-3960
Vulnerability from cvelistv5
Published
2023-04-03 18:48
Modified
2025-02-11 14:29
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:27:53.737Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14456813547917--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-3960-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-3960", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:29:23.575993Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:29:27.641Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Community Dashboard Editor Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server prior to version</span><span style=\"background-color: transparent;\">s 9.4.0.1 and</span><span style=\"background-color: rgb(255, 255, 255);\"> 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. \n\n", }, ], impacts: [ { capecId: "CAPEC-242", descriptions: [ { lang: "en", value: "CAPEC-242 Code Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-96", description: "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:48:00.992Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14456813547917--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Directives-in-Statically-Saved-Code-Static-Code-Injection-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-3960-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-3960", datePublished: "2023-04-03T18:48:00.992Z", dateReserved: "2022-11-11T20:09:03.958Z", dateUpdated: "2025-02-11T14:29:27.641Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43772
Vulnerability from cvelistv5
Published
2023-04-03 18:50
Modified
2025-02-11 14:29
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.443Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14454594588045--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insertion-of-Sensitive-Information-into-Log-File-Versions-before-9-4-0-0-and-9-3-0-1-including-8-3-x-Impacted-CVE-2022-43772-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43772", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:29:06.035853Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:29:10.931Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Big Data Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara ", versions: [ { lessThan: "9.3.0.1", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs. \n\n", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-532", description: "CWE-532 Insertion of Sensitive Information into Log File", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:50:58.827Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14454594588045--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insertion-of-Sensitive-Information-into-Log-File-Versions-before-9-4-0-0-and-9-3-0-1-including-8-3-x-Impacted-CVE-2022-43772-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43772", datePublished: "2023-04-03T18:50:58.827Z", dateReserved: "2022-10-26T12:55:14.327Z", dateUpdated: "2025-02-11T14:29:10.931Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43940
Vulnerability from cvelistv5
Published
2023-04-03 18:25
Modified
2025-02-11 14:40
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.4.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.726Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14456609400973--Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43940", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T14:40:44.477370Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-11T14:40:50.348Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Data Access Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara ", versions: [ { lessThan: "9.3.0.2", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.4.0.1", status: "affected", version: "9.4.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Harry Withington, Aura Information Security ", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. \n\n", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-03T18:25:33.397Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14456609400973--Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-", }, ], source: { discovery: "EXTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43940", datePublished: "2023-04-03T18:25:33.397Z", dateReserved: "2022-10-26T21:25:26.142Z", dateUpdated: "2025-02-11T14:40:50.348Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-43770
Vulnerability from cvelistv5
Published
2023-04-11 15:48
Modified
2025-02-07 15:52
Severity ?
EPSS score ?
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.0.0.0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:40:06.267Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://support.pentaho.com/hc/en-us/articles/14739303079053", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-43770", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T15:52:06.578655Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-07T15:52:39.739Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", modules: [ "Dashboard Editor Plugin", ], product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "8.3.0.27", status: "affected", version: "1.0", versionType: "maven", }, { lessThan: "9.2.0.4", status: "affected", version: "9.0.0.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Hitachi Group Member", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. </span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n", }, ], value: "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \n\n", }, ], impacts: [ { capecId: "CAPEC-180", descriptions: [ { lang: "en", value: "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-04-11T15:48:56.802Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/14739303079053", }, ], source: { discovery: "INTERNAL", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2022-43770", datePublished: "2023-04-11T15:48:16.650Z", dateReserved: "2022-10-26T12:55:14.327Z", dateUpdated: "2025-02-07T15:52:39.739Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-5705
Vulnerability from cvelistv5
Published
2025-02-19 22:55
Modified
2025-02-20 20:55
Severity ?
EPSS score ?
Summary
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes.
When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ▼ | Hitachi Vantara | Pentaho Data Integration & Analytics |
Version: 10.0 |
||||||
|
|||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-5705", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-20T20:55:24.660273Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-20T20:55:44.629Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Pentaho Data Integration & Analytics", vendor: "Hitachi Vantara", versions: [ { lessThan: "10.2.0.0", status: "affected", version: "10.0", versionType: "maven", }, ], }, { defaultStatus: "unaffected", product: "Pentaho Business Analytics Server", vendor: "Hitachi Vantara", versions: [ { lessThan: "9.3.0.9", status: "affected", version: "1.0", versionType: "maven", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "tuo4n8 & thongvv (GE) from VNG Security Response Center", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<div><p><span style=\"background-color: var(--wht);\"> </span></p></div><div><p>The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) </p></div><div><p> </p></div><div><p><span style=\"background-color: var(--wht);\"> </span></p></div><div><p>Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. </p></div><div><p> </p></div><div><p><br></p></div><div><p>When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service. </p></div>", }, ], value: "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) \n\n\n\n \n\n\n\n \n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. \n\n\n\n \n\n\n\n\n\n\n\n\nWhen access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-863", description: "CWE-863 Incorrect Authorization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-19T22:55:08.706Z", orgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", shortName: "HITVAN", }, references: [ { url: "https://support.pentaho.com/hc/en-us/articles/34296615099405--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Authorization-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5705", }, ], source: { discovery: "UNKNOWN", }, title: "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "dce6e192-ff49-4263-9134-f0beccb9bc13", assignerShortName: "HITVAN", cveId: "CVE-2024-5705", datePublished: "2025-02-19T22:55:08.706Z", dateReserved: "2024-06-06T17:25:31.840Z", dateUpdated: "2025-02-20T20:55:44.629Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }