Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for Pentaho Data Integration and Analytics by Hitachi Vantara

    CVE-2026-2255 (GCVE-0-2026-2255)

    Vulnerability from nvd – Published: 2026-05-27 02:51 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.6 (maven)
    Affected: 10.0 , < 11.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:00:31.690560Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:39.061Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although\u0026nbsp;the user should not see those explicitly, the defect is mitigated by the fact the user can already\u0026nbsp;leverage those credentials to submit jobs under the same account through the backend API.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6 and 11.0.0.0, including\u00a09.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although\u00a0the user should not see those explicitly, the defect is mitigated by the fact the user can already\u00a0leverage those credentials to submit jobs under the same account through the backend API."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-102",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-102 Session Sidejacking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:57:46.206Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45672235545101--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2255"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Insufficiently Protected Credentials",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2255",
        "datePublished": "2026-05-27T02:51:31.793Z",
        "dateReserved": "2026-02-09T15:09:09.473Z",
        "dateUpdated": "2026-05-27T18:00:39.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2254 (GCVE-0-2026-2254)

    Vulnerability from nvd – Published: 2026-05-27 02:46 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for Critical Resource
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.6 (maven)
    Affected: 10.0 , < 11.0.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T17:59:55.849274Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:14.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:46:36.132Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45676384909069--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2254?brand_id=1928686"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Incorrect Permission Assignment for Critical  Resource",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2254",
        "datePublished": "2026-05-27T02:46:36.132Z",
        "dateReserved": "2026-02-09T15:09:08.406Z",
        "dateUpdated": "2026-05-27T18:00:14.572Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2253 (GCVE-0-2026-2253)

    Vulnerability from nvd – Published: 2026-05-27 02:54 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper restriction of XML external entity reference
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.7 (maven)
    Affected: 10.0 , < 11.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:00:51.429151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:59.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.7",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.7 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.7 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-201",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-201 Serialized Data External Linking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper restriction of XML external entity reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:54:25.857Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45677548193933--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2026-2253"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Improper Restriction of XML External Entity  Reference",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2253",
        "datePublished": "2026-05-27T02:54:25.857Z",
        "dateReserved": "2026-02-09T15:09:06.755Z",
        "dateUpdated": "2026-05-27T18:00:59.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11159 (GCVE-0-2025-11159)

    Vulnerability from nvd – Published: 2026-05-13 05:36 – Updated: 2026-05-13 14:44
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.7 (maven)
    Affected: 1.0 , < 11.0 (maven)
    Create a notification for this product.
    Credits
    Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11159",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T14:44:30.743315Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T14:44:36.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.7",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan  from OX Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u0026nbsp;data source administrator."
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u00a0data source administrator."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-310",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-310 Scanning for Vulnerable Software"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T05:36:43.720Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Dependency on Vulnerable Third-Party  Component",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-11159",
        "datePublished": "2026-05-13T05:36:43.720Z",
        "dateReserved": "2025-09-29T14:53:44.917Z",
        "dateUpdated": "2026-05-13T14:44:36.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11158 (GCVE-0-2025-11158)

    Vulnerability from nvd – Published: 2026-03-09 22:12 – Updated: 2026-03-10 18:42
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , ≤ 9.3.* (maven)
    Affected: 10.0 , < 10.2.0.6 (maven)
    Create a notification for this product.
    Credits
    Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T14:34:15.156923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T14:34:25.010Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-10T18:42:40.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.ox.security/blog/cve-2025-11158/"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThanOrEqual": "9.3.*",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE."
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T22:12:51.587Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-11158",
        "datePublished": "2026-03-09T22:12:51.587Z",
        "dateReserved": "2025-09-29T14:53:43.455Z",
        "dateUpdated": "2026-03-10T18:42:40.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9122 (GCVE-0-2025-9122)

    Vulnerability from nvd – Published: 2025-12-15 22:50 – Updated: 2025-12-16 15:10
    VLAI
    Title
    Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
    Summary
    Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9122",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-16T14:38:37.772980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-16T15:10:16.460Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Community Dashboard Framework"
              ],
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.4",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-15T22:54:21.557Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/41833799577741--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-9122",
        "datePublished": "2025-12-15T22:50:42.466Z",
        "dateReserved": "2025-08-18T18:06:40.111Z",
        "dateUpdated": "2025-12-16T15:10:16.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9121 (GCVE-0-2025-9121)

    Vulnerability from nvd – Published: 2025-12-15 22:53 – Updated: 2026-02-26 16:07
    VLAI
    Title
    Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
    Summary
    Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9121",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T04:55:53.058795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:07:40.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "Community Dashboard Editor",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.4",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
                }
              ],
              "value": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-15T22:53:57.465Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-9121",
        "datePublished": "2025-12-15T22:53:57.465Z",
        "dateReserved": "2025-08-18T18:06:38.505Z",
        "dateUpdated": "2026-02-26T16:07:40.029Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2253 (GCVE-0-2026-2253)

    Vulnerability from cvelistv5 – Published: 2026-05-27 02:54 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-611 - Improper restriction of XML external entity reference
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.7 (maven)
    Affected: 10.0 , < 11.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2253",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:00:51.429151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:59.490Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.7",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.7 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.7 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not prevent certain XML parsers from resolving external entities."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-201",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-201 Serialized Data External Linking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-611",
                  "description": "CWE-611 Improper restriction of XML external entity reference",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:54:25.857Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45677548193933--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2026-2253"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Improper Restriction of XML External Entity  Reference",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2253",
        "datePublished": "2026-05-27T02:54:25.857Z",
        "dateReserved": "2026-02-09T15:09:06.755Z",
        "dateUpdated": "2026-05-27T18:00:59.490Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2255 (GCVE-0-2026-2255)

    Vulnerability from cvelistv5 – Published: 2026-05-27 02:51 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although the user should not see those explicitly, the defect is mitigated by the fact the user can already leverage those credentials to submit jobs under the same account through the backend API.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.6 (maven)
    Affected: 10.0 , < 11.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2255",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T18:00:31.690560Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:39.061Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although\u0026nbsp;the user should not see those explicitly, the defect is mitigated by the fact the user can already\u0026nbsp;leverage those credentials to submit jobs under the same account through the backend API.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6 and 11.0.0.0, including\u00a09.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. Although\u00a0the user should not see those explicitly, the defect is mitigated by the fact the user can already\u00a0leverage those credentials to submit jobs under the same account through the backend API."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-102",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-102 Session Sidejacking"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-522",
                  "description": "CWE-522: Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:57:46.206Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45672235545101--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2255"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Insufficiently Protected Credentials",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2255",
        "datePublished": "2026-05-27T02:51:31.793Z",
        "dateReserved": "2026-02-09T15:09:09.473Z",
        "dateUpdated": "2026-05-27T18:00:39.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2254 (GCVE-0-2026-2254)

    Vulnerability from cvelistv5 – Published: 2026-05-27 02:46 – Updated: 2026-05-27 18:00
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for Critical Resource
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.6 (maven)
    Affected: 10.0 , < 11.0.0.0 (maven)
    Create a notification for this product.
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2254",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T17:59:55.849274Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T18:00:14.572Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0.0.0",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6 and 11.0.0.0, including\u0026nbsp;9.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications.\u0026nbsp;\u003cbr\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6 and 11.0.0.0, including\u00a09.3.x and 8.3.x, does not apply ACLs on certain API endpoints related to platform mail notfications."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T02:46:36.132Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/45676384909069--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-6-and-11-0-0-0-Impacted-CVE-2026-2254?brand_id=1928686"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Incorrect Permission Assignment for Critical  Resource",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2026-2254",
        "datePublished": "2026-05-27T02:46:36.132Z",
        "dateReserved": "2026-02-09T15:09:08.406Z",
        "dateUpdated": "2026-05-27T18:00:14.572Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11159 (GCVE-0-2025-11159)

    Vulnerability from cvelistv5 – Published: 2026-05-13 05:36 – Updated: 2026-05-13 14:44
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1395 - Dependency on Vulnerable Third-Party Component
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , < 10.2.0.7 (maven)
    Affected: 1.0 , < 11.0 (maven)
    Create a notification for this product.
    Credits
    Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11159",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T14:44:30.743315Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T14:44:36.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.7",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "11.0",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan  from OX Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u0026nbsp;data source administrator."
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a\u00a0data source administrator."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-310",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-310 Scanning for Vulnerable Software"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1395",
                  "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T05:36:43.720Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/39954640408077--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Dependency-on-Vulnerable-Third-Party-Component-Versions-before-10-2-0-7-and-11-0-0-0-Impacted-CVE-2025-11159"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Dependency on Vulnerable Third-Party  Component",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-11159",
        "datePublished": "2026-05-13T05:36:43.720Z",
        "dateReserved": "2025-09-29T14:53:44.917Z",
        "dateUpdated": "2026-05-13T14:44:36.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11158 (GCVE-0-2025-11158)

    Vulnerability from cvelistv5 – Published: 2026-03-09 22:12 – Updated: 2026-03-10 18:42
    VLAI
    Title
    Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization
    Summary
    Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , ≤ 9.3.* (maven)
    Affected: 10.0 , < 10.2.0.6 (maven)
    Create a notification for this product.
    Credits
    Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11158",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-10T14:34:15.156923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-10T14:34:25.010Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-03-10T18:42:40.262Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://www.ox.security/blog/cve-2025-11158/"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThanOrEqual": "9.3.*",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                },
                {
                  "lessThan": "10.2.0.6",
                  "status": "affected",
                  "version": "10.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE."
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-1",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-09T22:12:51.587Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization",
          "x_generator": {
            "engine": "Vulnogram 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-11158",
        "datePublished": "2026-03-09T22:12:51.587Z",
        "dateReserved": "2025-09-29T14:53:43.455Z",
        "dateUpdated": "2026-03-10T18:42:40.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9121 (GCVE-0-2025-9121)

    Vulnerability from cvelistv5 – Published: 2025-12-15 22:53 – Updated: 2026-02-26 16:07
    VLAI
    Title
    Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
    Summary
    Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9121",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-17T04:55:53.058795Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T16:07:40.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "Community Dashboard Editor",
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.4",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
                }
              ],
              "value": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-586",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-586 Object Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-15T22:53:57.465Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-9121",
        "datePublished": "2025-12-15T22:53:57.465Z",
        "dateReserved": "2025-08-18T18:06:38.505Z",
        "dateUpdated": "2026-02-26T16:07:40.029Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-9122 (GCVE-0-2025-9122)

    Vulnerability from cvelistv5 – Published: 2025-12-15 22:50 – Updated: 2025-12-16 15:10
    VLAI
    Title
    Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
    Summary
    Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Credits
    Hitachi Group Member
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9122",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-16T14:38:37.772980Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-16T15:10:16.460Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Community Dashboard Framework"
              ],
              "product": "Pentaho Data Integration and Analytics",
              "vendor": "Hitachi Vantara",
              "versions": [
                {
                  "lessThan": "10.2.0.4",
                  "status": "affected",
                  "version": "1.0",
                  "versionType": "maven"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hitachi Group Member"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
                }
              ],
              "value": "Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-54",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-54 Query System for Information"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-15T22:54:21.557Z",
            "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
            "shortName": "HITVAN"
          },
          "references": [
            {
              "url": "https://support.pentaho.com/hc/en-us/articles/41833799577741--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "assignerShortName": "HITVAN",
        "cveId": "CVE-2025-9122",
        "datePublished": "2025-12-15T22:50:42.466Z",
        "dateReserved": "2025-08-18T18:06:40.111Z",
        "dateUpdated": "2025-12-16T15:10:16.460Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }