Hitachi Vantara Pentaho Business Analytics Server

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Hitachi Vantara Pentaho Business Analytics Server.

By the Year

In 2026 there have been 0 vulnerabilities in Hitachi Vantara Pentaho Business Analytics Server. Vantara Pentaho Business Analytics Server did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	0	0.00
2024	0	0.00
2023	14	6.96

It may take a day or so for new Vantara Pentaho Business Analytics Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Hitachi Vantara Pentaho Business Analytics Server Security Vulnerabilities

Pentaho BA Server <=9.4.0.1/9.3.0.3 JSON deserialization vulnerability
CVE-2022-4815 8.8 - High - May 24, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.

Marshaling, Unmarshaling

Pentaho BA Server <=9.3.0.3 / 8.3.x: Unauthorized Dashboard Prompt Exposure
CVE-2023-1158 4.3 - Medium - May 24, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.

AuthZ

Pentaho <=9.3.0.2 User Console Content Injection via URL Session Vars
CVE-2022-4771 6.1 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.

XSS

Pentaho Business Analytics Server: SQL Query Leak via Report Errors (pre-9.4)
CVE-2022-4770 4.3 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).

Generation of Error Message Containing Sensitive Information

Pentaho BA Server 9.4-8.3 Path Disclosure 9.4.0/9.3.0
CVE-2022-4769 4.3 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.

Generation of Error Message Containing Sensitive Information

Pentaho BCE: XEE via Post Analysis Endpoint <9.4.0.1
CVE-2022-43941 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.

XXE

Auth Bypass Pentaho B.A.S. Hitachi Vantara <9.4.0.1 & <9.3.0.2
CVE-2022-43940 8.8 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.

AuthZ

Pentaho Business Analytics Server <9.4.0.1 URL canonicalization bypass
CVE-2022-43939 8.6 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x contain security restrictions using non-canonical URLs which can be circumvented.

Use of Non-Canonical URL Paths for Authorization Decisions

Pentaho BAS <=9.3.0.2 Admin Cannot Disable JVM Scripting in Reports
CVE-2022-43938 8.8 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager.

Code Injection

Pentaho BaaS <9.4/9.3: cleartext cluster creds logged
CVE-2022-43772 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.

Insertion of Sensitive Information into Log File

Pentaho Server <9.4 CSV Import Path Traversal via Data Access Plugin
CVE-2022-43771 6.5 - Medium - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.

Directory traversal

Pentaho BAs: CDE Scripting Not Disabled pre-9.4.0.1 (Hitachi Vantara)
CVE-2022-3960 6.3 - Medium - April 03, 2023

Code Injection

Pentaho BA Server <9.4.0.1 Stored Proc HSQLDB Flaw
CVE-2022-43773 8.8 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is installed with a sample HSQLDB data source configured with stored procedures enabled.

Incorrect Permission Assignment for Critical Resource

Pentaho BA Server <9.4.0.1: Web Service Template Injection via Spring
CVE-2022-43769 8.8 - High - April 03, 2023

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow certain web services to set property values which contain Spring templates that are interpreted downstream.

Injection

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Hitachi Vantara Pentaho Business Analytics Server or by Hitachi? Click the Watch button to subscribe.

Hitachi
Vendor

Hitachi Vantara Pentaho Business Analytics Server
Product

Hitachi Vantara Pentaho Business Analytics Server

Don't miss out!

By the Year

Recent Hitachi Vantara Pentaho Business Analytics Server Security Vulnerabilities

Pentaho BA Server <=9.4.0.1/9.3.0.3 JSON deserialization vulnerability CVE-2022-4815 8.8 - High - May 24, 2023

Pentaho BA Server <=9.3.0.3 / 8.3.x: Unauthorized Dashboard Prompt Exposure CVE-2023-1158 4.3 - Medium - May 24, 2023

Pentaho <=9.3.0.2 User Console Content Injection via URL Session Vars CVE-2022-4771 6.1 - Medium - April 03, 2023

Pentaho Business Analytics Server: SQL Query Leak via Report Errors (pre-9.4) CVE-2022-4770 4.3 - Medium - April 03, 2023

Pentaho BA Server 9.4-8.3 Path Disclosure 9.4.0/9.3.0 CVE-2022-4769 4.3 - Medium - April 03, 2023

Pentaho BCE: XEE via Post Analysis Endpoint <9.4.0.1 CVE-2022-43941 6.5 - Medium - April 03, 2023

Auth Bypass Pentaho B.A.S. Hitachi Vantara <9.4.0.1 & <9.3.0.2 CVE-2022-43940 8.8 - High - April 03, 2023

Pentaho Business Analytics Server <9.4.0.1 URL canonicalization bypass CVE-2022-43939 8.6 - High - April 03, 2023

Pentaho BAS <=9.3.0.2 Admin Cannot Disable JVM Scripting in Reports CVE-2022-43938 8.8 - High - April 03, 2023

Pentaho BaaS <9.4/9.3: cleartext cluster creds logged CVE-2022-43772 6.5 - Medium - April 03, 2023

Pentaho Server <9.4 CSV Import Path Traversal via Data Access Plugin CVE-2022-43771 6.5 - Medium - April 03, 2023

Pentaho BAs: CDE Scripting Not Disabled pre-9.4.0.1 (Hitachi Vantara) CVE-2022-3960 6.3 - Medium - April 03, 2023

Pentaho BA Server <9.4.0.1 Stored Proc HSQLDB Flaw CVE-2022-43773 8.8 - High - April 03, 2023

Pentaho BA Server <9.4.0.1: Web Service Template Injection via Spring CVE-2022-43769 8.8 - High - April 03, 2023