Hitachi Pentaho Business Analytics Server

Pentaho BSA XML XEE flaw pre-10.2.0.2
CVE-2025-24911 - April 16, 2025

Overview   XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611)   Description   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Data Access XMLParserFactoryProducer against out-of-band XML External Entity Reference.   Impact   By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.

Pentaho BA Server XSS in Analyzer Plugin (before 10.2.0.2/9.3.x/8.3.x)
CVE-2025-0757 - April 16, 2025

Overview   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Description   Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.   Impact   Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.

Pentaho BAnalytcs Server <10.2/9.3.0.8: Auth Check Missing in Data Source Mgmt
CVE-2024-37363 - February 20, 2025

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)  Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.

Pentaho Business Analytics Server <=10.2.0.0 deserialization flaw (CWE-502)
CVE-2024-37361 - February 20, 2025

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.   When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.

Pentaho BI Server 10.2.0.0- Unsafe Host Header Allowing HTTP Proxying (CWE-918)
CVE-2024-37359 - February 19, 2025

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.   By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.

Pentaho Business Analytics Server <10.2.0.0 XSS in Analyzer Plugin
CVE-2024-37360 - February 19, 2025

Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')   The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)   Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.   Once the malicious script is injected, the attacker can perform a variety of malicious activities. The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site.

Pentaho BSA 10.1.0.0/9.3.0.7 XML External Entity (XXE) at ACL Endpoint
CVE-2024-28982 8.2 - High - June 26, 2024

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

XEE

Pentaho BSA Analyzer Plugin Content Injection Before 10.1 (CVE-2024-28983)
CVE-2024-28983 6.1 - Medium - June 26, 2024

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.

XSS

Pentaho Business Analytics Server <=10.1.0.0 Analyzer Plugin URL Injection
CVE-2024-28984 6.1 - Medium - June 26, 2024

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.

XSS

Pentaho BA Server <=9.5.0.0/9.3.0.4/8.3.x.x - Hadoop Copy Files step plaintext passwords
CVE-2023-2358 4.9 - Medium - September 27, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext. 

Cleartext Storage of Sensitive Information

Pentaho BCE: XEE via Post Analysis Endpoint <9.4.0.1
CVE-2022-43941 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.

XXE

Pentaho Business Analytics Server <9.4.0.1 URL canonicalization bypass
CVE-2022-43939 8.6 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

Use of Non-Canonical URL Paths for Authorization Decisions

Pentaho BaaS <9.4/9.3: cleartext cluster creds logged
CVE-2022-43772 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.

Insertion of Sensitive Information into Log File

Pentaho Server <9.4 CSV Import Path Traversal via Data Access Plugin
CVE-2022-43771 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.

Directory traversal

Pentaho <=9.3.0.2 User Console Content Injection via URL Session Vars
CVE-2022-4771 6.1 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.

XSS

Pentaho BA Server <9.4.0.1 Stored Proc HSQLDB Flaw
CVE-2022-43773 8.8 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.

Incorrect Permission Assignment for Critical Resource

Pentaho BA Server Hidden Property Directory Listing <8.3,9.2
CVE-2021-45446 7.5 - High - November 02, 2022

A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources located inside the directory.

Improper Preservation of Permissions