Vulnerabilities > Hitachi > Vantara Pentaho

DATE CVE VULNERABILITY TITLE RISK
2023-05-24 CVE-2022-4815 Deserialization of Untrusted Data vulnerability in Hitachi products
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. 
network
low complexity
hitachi CWE-502
8.8
2023-05-24 CVE-2023-1158 Incorrect Authorization vulnerability in Hitachi products
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 
network
low complexity
hitachi CWE-863
4.3
2022-11-02 CVE-2021-45448 Path Traversal vulnerability in Hitachi Vantara Pentaho 8.3.0.0/8.3.0.25/8.3.0.9
Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
network
low complexity
hitachi CWE-22
6.5
2022-11-02 CVE-2021-45446 Improper Preservation of Permissions vulnerability in Hitachi Vantara Pentaho 8.3.0.0/8.3.0.25/8.3.0.9
A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder.  This directory listing provides an attacker with the complete index of all the resources located inside the directory.
network
low complexity
hitachi CWE-281
7.5
2022-11-02 CVE-2021-45447 Cleartext Transmission of Sensitive Information vulnerability in Hitachi Vantara Pentaho 8.3.0.0/8.3.0.25/8.3.0.9
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.   The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access.
network
low complexity
hitachi CWE-319
7.5
2021-11-08 CVE-2021-31599 Unrestricted Upload of File with Dangerous Type vulnerability in Hitachi products
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x.
network
low complexity
hitachi CWE-434
8.8
2021-11-08 CVE-2021-31600 Files or Directories Accessible to External Parties vulnerability in Hitachi products
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x.
network
low complexity
hitachi CWE-552
4.3
2021-11-08 CVE-2021-31601 Unspecified vulnerability in Hitachi products
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x.
network
low complexity
hitachi
6.5
2021-11-08 CVE-2021-31602 Improper Authentication vulnerability in Hitachi products
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x.
network
low complexity
hitachi CWE-287
7.5
2021-11-08 CVE-2021-34684 SQL Injection vulnerability in Hitachi Vantara Pentaho
Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.
network
low complexity
hitachi CWE-89
critical
9.8