CVE-2022-3695

CVE-2022-3695 affects Hitachi Vantara Pentaho Business Analytics Server prior to 9.3.0.0, 9.2.0.4, and 8.3.0.27. The vulnerability arises when the CDE plugin is present and a malicious URL can inject content into a dashboard. Impact is content injection via URL provided to dashboards; exploitatio...

PT-2023-14316 · Hitachi Vantara · Pentaho Business Analytics Server

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0 Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.4 Hitachi Vantara Pentaho Business Analytics Server versions before 8.3.0.27 Description: The...

CVE-2022-4770

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report .prpt...

CVE-2022-4771

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables...

CVE-2022-43941

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference...

CVE-2022-43940

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service...

CVE-2022-43938

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports .prpt through the JVM script manager...

Design/Logic Flaw

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented...

CVE-2022-4771 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables...

CVE-2022-4770

Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.0 and 9.3.0.2 (including 8.3.x) disclose the full parametrized SQL query in an error message when a Pentaho Report (.prpt) contains an invalid character. This is an information disclosure vulnerability affecting the error-h...

CVE-2022-4770 Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report .prpt...

CVE-2022-43772 Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs...

CVE-2022-43772 Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs...

CVE-2022-3960

Hitachi Vantara Pentaho Business Analytics Server exposes a vulnerability (CVE-2022-3960) affecting versions before 9.4.0.1 and 9.3.0.2, including 8.3.x, where a system administrator cannot disable scripting in the Community Dashboard Editor (CDE) plugin. The issue is documented across multiple s...

CVE-2022-43773

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled...

CVE-2022-43773

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled...

CVE-2022-43769

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream...

CVE-2022-43939

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2 (including 8.3.x) suffer from an authentication- bypass vulnerability due to security restrictions that use non-canonical URL paths. This CVE (CVE-2022-43939) allows bypassing authorization decisions for certain...

CVE-2022-43938 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports .prpt through the JVM script manager...

CVE-2022-43938

CVE-2022-43938 affects Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x. The issue is described as an improper neutralization of directives in statically saved code (Static Code Injection) that, due to a JVM Script Manager flaw, cannot relia...