Vulnerabilities > Hitachi > Vantara Pentaho Business Analytics Server
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-24 | CVE-2022-4815 | Deserialization of Untrusted Data vulnerability in Hitachi products Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. | 8.8 |
| 2023-05-24 | CVE-2023-1158 | Incorrect Authorization vulnerability in Hitachi products Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. | 4.3 |
| 2023-04-03 | CVE-2022-3960 | Code Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin. | 6.3 |
| 2023-04-03 | CVE-2022-43771 | Path Traversal vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds. | 6.5 |
| 2023-04-03 | CVE-2022-43772 | Information Exposure Through Log Files vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs. | 6.5 |
| 2023-04-03 | CVE-2022-43938 | Code Injection vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. | 8.8 |
| 2023-04-03 | CVE-2022-43940 | Incorrect Authorization vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service. | 8.8 |
| 2023-04-03 | CVE-2022-43941 | XXE vulnerability in Hitachi Vantara Pentaho Business Analytics Server 9.4.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. | 6.5 |
| 2023-04-03 | CVE-2022-4769 | Information Exposure Through an Error Message vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. | 4.3 |
| 2023-04-03 | CVE-2022-4770 | Information Exposure Through an Error Message vulnerability in Hitachi Vantara Pentaho Business Analytics Server Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). | 4.3 |