CVE-2022-4815 – Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-4815
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. • https://support.pentaho.com/hc/en-us/articles/14455879270285-IMPORTANT-Resolved-Pentaho-BA-Server-Deserialization-of-Untrusted-Data-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2022-4815- • CWE-502: Deserialization of Untrusted Data •
CVE-2023-1158 – Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
https://notcve.org/view.php?id=CVE-2023-1158
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. • https://support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158- • CWE-863: Incorrect Authorization •
CVE-2022-4771 – Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://notcve.org/view.php?id=CVE-2022-4771
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. • https://support.pentaho.com/hc/en-us/articles/14455436088717--Resolved-Pentaho-BA-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4771- • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-4770 – Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2022-4770
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). • https://support.pentaho.com/hc/en-us/articles/14455209015949--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4770- • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2022-4769 – Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
https://notcve.org/view.php?id=CVE-2022-4769
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. • https://support.pentaho.com/hc/en-us/articles/14452244712589--Resolved-Pentaho-BA-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4769- • CWE-209: Generation of Error Message Containing Sensitive Information •