CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24907 – Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal
https://notcve.org/view.php?id=CVE-2025-24907
16 Apr 2025 — Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the CGG Draw API. Impact This allows attackers to traverse the fil... • https://support.pentaho.com/hc/en-us/articles/35781624069005--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Path-Traversal-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24907 • CWE-35: Path Traversal: '.../ •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24908 – Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal
https://notcve.org/view.php?id=CVE-2025-24908
16 Apr 2025 — Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. (CWE-35) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not sanitize a user input used as a file path through the UploadFile service. Impact This allows attackers to traverse t... • https://support.pentaho.com/hc/en-us/articles/35783399569421--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Path-Traversal-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-24908 • CWE-35: Path Traversal: '.../ •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0756 – Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
https://notcve.org/view.php?id=CVE-2025-0756
16 Apr 2025 — Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Description Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.2, including 9.3.x and 8.3.x, do not restrict JNDI identifiers during the creation of platform data sources. Impact An attacker could gain access to or modify sensitive data or system resou... • https://https://support.pentaho.com/hc/en-us/articles/35771876077709--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0756 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37363 – Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
https://notcve.org/view.php?id=CVE-2024-37363
19 Feb 2025 — The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including in... • https://support.pentaho.com/hc/en-us/articles/34296230504589--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Authorization-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37363 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37362 – Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials
https://notcve.org/view.php?id=CVE-2024-37362
19 Feb 2025 — The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift. Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation. • https://support.pentaho.com/hc/en-us/articles/34296552220941--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37362 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6697 – Hitachi Vantara Pentaho Business Analytics Server - Improper Handling of Insufficient Permissions or Privileges
https://notcve.org/view.php?id=CVE-2024-6697
19 Feb 2025 — The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service. An adversary leverages a legitimate capability of... • https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697 • CWE-280: Improper Handling of Insufficient Permissions or Privileges •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-6696 – Hitachi Vantara Pentaho Business Analytics Server - Insufficient Granularity of Access Control
https://notcve.org/view.php?id=CVE-2024-6696
19 Feb 2025 — The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly... • https://support.pentaho.com/hc/en-us/articles/34296877157517--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insufficient-Granularity-of-Access-Control-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6696 • CWE-1220: Insufficient Granularity of Access Control •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37361 – Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2024-37361
19 Feb 2025 — The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object ... • https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37360 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37360 – Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
https://notcve.org/view.php?id=CVE-2024-37360
19 Feb 2025 — Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79) Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.0 and 9.3.0.9, including 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface. Once the mal... • https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-CVE-2024-37360 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37359 – Hitachi Vantara Pentaho Business Analytics Server – Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-37359
19 Feb 2025 — The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, pos... • https://support.pentaho.com/hc/en-us/articles/34296789835917--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Server-Side-Request-Forgery-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37359 • CWE-918: Server-Side Request Forgery (SSRF) •