Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
6 vulnerabilities found for Pentaho Data Integration and Analytics by Hitachi Vantara
CVE-2025-11158 (GCVE-0-2025-11158)
Vulnerability from nvd – Published: 2026-03-09 22:12 – Updated: 2026-03-10 18:42
VLAI?
Title
Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization
Summary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , ≤ 9.3.*
(maven)
Affected: 10.0 , < 10.2.0.6 (maven) |
Credits
Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:34:15.156923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:34:25.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-10T18:42:40.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.ox.security/blog/cve-2025-11158/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThanOrEqual": "9.3.*",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "10.2.0.6",
"status": "affected",
"version": "10.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE."
}
],
"value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:12:51.587Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-11158",
"datePublished": "2026-03-09T22:12:51.587Z",
"dateReserved": "2025-09-29T14:53:43.455Z",
"dateUpdated": "2026-03-10T18:42:40.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9122 (GCVE-0-2025-9122)
Vulnerability from nvd – Published: 2025-12-15 22:50 – Updated: 2025-12-16 15:10
VLAI?
Title
Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
Summary
Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
Severity ?
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , < 10.2.0.4
(maven)
|
Credits
Hitachi Group Member
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:38:37.772980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:10:16.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Community Dashboard Framework"
],
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "10.2.0.4",
"status": "affected",
"version": "1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T22:54:21.557Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/41833799577741--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-9122",
"datePublished": "2025-12-15T22:50:42.466Z",
"dateReserved": "2025-08-18T18:06:40.111Z",
"dateUpdated": "2025-12-16T15:10:16.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9121 (GCVE-0-2025-9121)
Vulnerability from nvd – Published: 2025-12-15 22:53 – Updated: 2026-02-26 16:07
VLAI?
Title
Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
Summary
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , < 10.2.0.4
(maven)
|
Credits
Hitachi Group Member
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T04:55:53.058795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:40.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Community Dashboard Editor",
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "10.2.0.4",
"status": "affected",
"version": "1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T22:53:57.465Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-9121",
"datePublished": "2025-12-15T22:53:57.465Z",
"dateReserved": "2025-08-18T18:06:38.505Z",
"dateUpdated": "2026-02-26T16:07:40.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11158 (GCVE-0-2025-11158)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:12 – Updated: 2026-03-10 18:42
VLAI?
Title
Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization
Summary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , ≤ 9.3.*
(maven)
Affected: 10.0 , < 10.2.0.6 (maven) |
Credits
Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:34:15.156923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:34:25.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-10T18:42:40.262Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.ox.security/blog/cve-2025-11158/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThanOrEqual": "9.3.*",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "10.2.0.6",
"status": "affected",
"version": "10.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE."
}
],
"value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:12:51.587Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-11158",
"datePublished": "2026-03-09T22:12:51.587Z",
"dateReserved": "2025-09-29T14:53:43.455Z",
"dateUpdated": "2026-03-10T18:42:40.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9121 (GCVE-0-2025-9121)
Vulnerability from cvelistv5 – Published: 2025-12-15 22:53 – Updated: 2026-02-26 16:07
VLAI?
Title
Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data
Summary
Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.
Severity ?
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , < 10.2.0.4
(maven)
|
Credits
Hitachi Group Member
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-17T04:55:53.058795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:07:40.029Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Community Dashboard Editor",
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "10.2.0.4",
"status": "affected",
"version": "1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Pentaho Data Integration and Analytics Community Dashboard Editor plugin versions before 10.2.0.4, including 9.3.0.x and 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T22:53:57.465Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/41832536185613--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-4-Impacted-CVE-2025-9121"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-9121",
"datePublished": "2025-12-15T22:53:57.465Z",
"dateReserved": "2025-08-18T18:06:38.505Z",
"dateUpdated": "2026-02-26T16:07:40.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9122 (GCVE-0-2025-9122)
Vulnerability from cvelistv5 – Published: 2025-12-15 22:50 – Updated: 2025-12-16 15:10
VLAI?
Title
Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information
Summary
Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.
Severity ?
5.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Data Integration and Analytics |
Affected:
1.0 , < 10.2.0.4
(maven)
|
Credits
Hitachi Group Member
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9122",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T14:38:37.772980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T15:10:16.460Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Community Dashboard Framework"
],
"product": "Pentaho Data Integration and Analytics",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "10.2.0.4",
"status": "affected",
"version": "1.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e"
}
],
"value": "Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Framework prior to versions 10.2.0.4, including 9.3.0.x and 8.3.x display the full server stack trace when encountering an error within the GetCdfResource servlet."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T22:54:21.557Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/41833799577741--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-10-2-0-4-Impacted-CVE-2025-9122"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2025-9122",
"datePublished": "2025-12-15T22:50:42.466Z",
"dateReserved": "2025-08-18T18:06:40.111Z",
"dateUpdated": "2025-12-16T15:10:16.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}