Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by hitachivantara
VAR-201711-0013
Vulnerability from variot - Updated: 2024-02-13 23:04In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application. Hitachi Vantara Pentaho BA The platform contains a cross-site request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. A remote attacker could use this vulnerability to perform unauthorized operations (such as uploading, deleting files, creating, changing, or deleting queries). Other attacks are also possible
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201711-0013",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "pentaho business analytics",
"scope": "lte",
"trust": 1.0,
"vendor": "hitachivantara",
"version": "8.0"
},
{
"model": "pentaho business analytics",
"scope": "lte",
"trust": 0.8,
"vendor": "hitachi vantara",
"version": "8.0"
},
{
"model": "vantara pentaho",
"scope": "lte",
"trust": 0.6,
"vendor": "hitachi",
"version": "\u003c=8.0"
},
{
"model": "pentaho business analytics",
"scope": "eq",
"trust": 0.6,
"vendor": "hitachivantara",
"version": "8.0"
},
{
"model": "pentaho",
"scope": "eq",
"trust": 0.3,
"vendor": "hitachivantara",
"version": "8.0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "BID",
"id": "102200"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Vendor has reported this issue.",
"sources": [
{
"db": "BID",
"id": "102200"
}
],
"trust": 0.3
},
"cve": "CVE-2016-10701",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-10701",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2017-38236",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-10701",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-10701",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2017-38236",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201711-1121",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-10701",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application. Hitachi Vantara Pentaho BA The platform contains a cross-site request forgery vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. A remote attacker could use this vulnerability to perform unauthorized operations (such as uploading, deleting files, creating, changing, or deleting queries). Other attacks are also possible",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "BID",
"id": "102200"
},
{
"db": "VULMON",
"id": "CVE-2016-10701"
}
],
"trust": 2.52
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-10701",
"trust": 3.4
},
{
"db": "BID",
"id": "102200",
"trust": 2.0
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2017-38236",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2016-10701",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"db": "BID",
"id": "102200"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"id": "VAR-201711-0013",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
}
]
},
"last_update_date": "2024-02-13T23:04:07.986000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Pentaho Business Analytics",
"trust": 0.8,
"url": "http://www.pentaho.com/product/business-analytics"
},
{
"title": "BISERVER-3562",
"trust": 0.8,
"url": "http://jira.pentaho.com/browse/biserver-3562"
},
{
"title": "BISERVER-6599",
"trust": 0.8,
"url": "http://jira.pentaho.com/browse/biserver-6599"
},
{
"title": "BISERVER-13207",
"trust": 0.8,
"url": "http://jira.pentaho.com/browse/biserver-13207"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://jira.pentaho.com/browse/biserver-6599"
},
{
"trust": 2.0,
"url": "http://jira.pentaho.com/browse/biserver-3562"
},
{
"trust": 2.0,
"url": "http://jira.pentaho.com/browse/biserver-13207"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/bid/102200"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-10701"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10701"
},
{
"trust": 0.3,
"url": "http://www.pentaho.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"db": "BID",
"id": "102200"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"db": "BID",
"id": "102200"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-12-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"date": "2017-11-28T00:00:00",
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"date": "2017-11-27T00:00:00",
"db": "BID",
"id": "102200"
},
{
"date": "2017-12-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"date": "2017-11-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"date": "2017-11-28T01:29:00.210000",
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-12-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"date": "2017-12-17T00:00:00",
"db": "VULMON",
"id": "CVE-2016-10701"
},
{
"date": "2017-12-19T21:01:00",
"db": "BID",
"id": "102200"
},
{
"date": "2017-12-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-008866"
},
{
"date": "2017-11-29T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201711-1121"
},
{
"date": "2017-12-17T02:29:00.220000",
"db": "NVD",
"id": "CVE-2016-10701"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Hitachi Vantara Pentaho Business Analytics Platform Cross-Site Request Forgery Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2017-38236"
},
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201711-1121"
}
],
"trust": 0.6
}
}
CVE-2023-2358 (GCVE-0-2023-2358)
Vulnerability from cvelistv5 – Published: 2023-09-26 21:34 – Updated: 2024-09-23 20:24
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server – Password Stored in a Recoverable Format
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 9.3.0.5
(maven)
Affected: 9.5.0.0 , < 9.5.0.1 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T20:23:19.372778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T20:24:01.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "9.3.0.5",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.5.0.1",
"status": "affected",
"version": "9.5.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Business Analytics Server\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257 ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T21:34:06.878Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server \u2013 Password Stored in a Recoverable Format ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2023-2358",
"datePublished": "2023-09-26T21:34:06.878Z",
"dateReserved": "2023-04-27T19:02:38.693Z",
"dateUpdated": "2024-09-23T20:24:01.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43770 (GCVE-0-2022-43770)
Vulnerability from cvelistv5 – Published: 2023-04-11 15:48 – Updated: 2025-02-07 15:52
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 8.3.0.27
(maven)
Affected: 9.0.0.0 , < 9.2.0.4 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:52:06.578655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:52:39.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Dashboard Editor Plugin"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:48:56.802Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-43770",
"datePublished": "2023-04-11T15:48:16.650Z",
"dateReserved": "2022-10-26T12:55:14.327Z",
"dateUpdated": "2025-02-07T15:52:39.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3695 (GCVE-0-2022-3695)
Vulnerability from cvelistv5 – Published: 2023-04-11 15:45 – Updated: 2025-02-07 15:53
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 8.3.0.27
(maven)
Affected: 9.0.0.0 , < 9.2.0.4 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:53:31.395131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:53:35.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Community Dashboard Editor"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:45:03.366Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-3695",
"datePublished": "2023-04-11T15:45:03.366Z",
"dateReserved": "2022-10-26T12:51:27.046Z",
"dateUpdated": "2025-02-07T15:53:35.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10701 (GCVE-0-2016-10701)
Vulnerability from cvelistv5 – Published: 2017-11-28 01:00 – Updated: 2024-08-06 03:30
VLAI
Summary
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://jira.pentaho.com/browse/BISERVER-3562 | x_refsource_MISC |
| http://jira.pentaho.com/browse/BISERVER-6599 | x_refsource_MISC |
| http://www.securityfocus.com/bid/102200 | vdb-entryx_refsource_BID |
| http://jira.pentaho.com/browse/BISERVER-13207 | x_refsource_MISC |
Date Public
2017-11-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-16T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://jira.pentaho.com/browse/BISERVER-3562",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-6599",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102200"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-13207",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10701",
"datePublished": "2017-11-28T01:00:00.000Z",
"dateReserved": "2017-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:30:20.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2358 (GCVE-0-2023-2358)
Vulnerability from nvd – Published: 2023-09-26 21:34 – Updated: 2024-09-23 20:24
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server – Password Stored in a Recoverable Format
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 9.3.0.5
(maven)
Affected: 9.5.0.0 , < 9.5.0.1 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T20:23:19.372778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T20:24:01.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "9.3.0.5",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.5.0.1",
"status": "affected",
"version": "9.5.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Business Analytics Server\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257 ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T21:34:06.878Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server \u2013 Password Stored in a Recoverable Format ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2023-2358",
"datePublished": "2023-09-26T21:34:06.878Z",
"dateReserved": "2023-04-27T19:02:38.693Z",
"dateUpdated": "2024-09-23T20:24:01.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43770 (GCVE-0-2022-43770)
Vulnerability from nvd – Published: 2023-04-11 15:48 – Updated: 2025-02-07 15:52
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 8.3.0.27
(maven)
Affected: 9.0.0.0 , < 9.2.0.4 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:52:06.578655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:52:39.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Dashboard Editor Plugin"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:48:56.802Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-43770",
"datePublished": "2023-04-11T15:48:16.650Z",
"dateReserved": "2022-10-26T12:55:14.327Z",
"dateUpdated": "2025-02-07T15:52:39.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3695 (GCVE-0-2022-3695)
Vulnerability from nvd – Published: 2023-04-11 15:45 – Updated: 2025-02-07 15:53
VLAI
Title
Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Affected:
1.0 , < 8.3.0.27
(maven)
Affected: 9.0.0.0 , < 9.2.0.4 (maven) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:53:31.395131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:53:35.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Community Dashboard Editor"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:45:03.366Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-3695",
"datePublished": "2023-04-11T15:45:03.366Z",
"dateReserved": "2022-10-26T12:51:27.046Z",
"dateUpdated": "2025-02-07T15:53:35.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10701 (GCVE-0-2016-10701)
Vulnerability from nvd – Published: 2017-11-28 01:00 – Updated: 2024-08-06 03:30
VLAI
Summary
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://jira.pentaho.com/browse/BISERVER-3562 | x_refsource_MISC |
| http://jira.pentaho.com/browse/BISERVER-6599 | x_refsource_MISC |
| http://www.securityfocus.com/bid/102200 | vdb-entryx_refsource_BID |
| http://jira.pentaho.com/browse/BISERVER-13207 | x_refsource_MISC |
Date Public
2017-11-27 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-16T10:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://jira.pentaho.com/browse/BISERVER-3562",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-6599",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102200"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-13207",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10701",
"datePublished": "2017-11-28T01:00:00.000Z",
"dateReserved": "2017-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-06T03:30:20.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}