Vulnerabilites related to hitachivantara - pentaho_business_analytics
CVE-2016-10701 (GCVE-0-2016-10701)
Vulnerability from cvelistv5
Published
2017-11-28 01:00
Modified
2024-08-06 03:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.144Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-16T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102200"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10701",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://jira.pentaho.com/browse/BISERVER-3562",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-6599",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"name": "102200",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102200"
},
{
"name": "http://jira.pentaho.com/browse/BISERVER-13207",
"refsource": "MISC",
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10701",
"datePublished": "2017-11-28T01:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-06T03:30:20.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3695 (GCVE-0-2022-3695)
Vulnerability from cvelistv5
Published
2023-04-11 15:45
Modified
2025-02-07 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.0.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:03.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3695",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:53:31.395131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:53:35.374Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Community Dashboard Editor"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:45:03.366Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-3695",
"datePublished": "2023-04-11T15:45:03.366Z",
"dateReserved": "2022-10-26T12:51:27.046Z",
"dateUpdated": "2025-02-07T15:53:35.374Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43770 (GCVE-0-2022-43770)
Vulnerability from cvelistv5
Published
2023-04-11 15:48
Modified
2025-02-07 15:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.0.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T15:52:06.578655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T15:52:39.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Dashboard Editor Plugin"
],
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "8.3.0.27",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.2.0.4",
"status": "affected",
"version": "9.0.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u00a0\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-11T15:48:56.802Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2022-43770",
"datePublished": "2023-04-11T15:48:16.650Z",
"dateReserved": "2022-10-26T12:55:14.327Z",
"dateUpdated": "2025-02-07T15:52:39.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2358 (GCVE-0-2023-2358)
Vulnerability from cvelistv5
Published
2023-09-26 21:34
Modified
2024-09-23 20:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hitachi Vantara | Pentaho Business Analytics Server |
Version: 1.0 Version: 9.5.0.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T20:23:19.372778Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T20:24:01.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pentaho Business Analytics Server",
"vendor": "Hitachi Vantara",
"versions": [
{
"lessThan": "9.3.0.5",
"status": "affected",
"version": "1.0",
"versionType": "maven"
},
{
"lessThan": "9.5.0.1",
"status": "affected",
"version": "9.5.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Hitachi Group Member"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eHitachi Vantara \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ePentaho Business Analytics Server\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n"
}
],
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u00a0\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-37 Retrieve Embedded Sensitive Data"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257 ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T21:34:06.878Z",
"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"shortName": "HITVAN"
},
"references": [
{
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Hitachi Vantara Pentaho Business Analytics Server \u2013 Password Stored in a Recoverable Format ",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
"assignerShortName": "HITVAN",
"cveId": "CVE-2023-2358",
"datePublished": "2023-09-26T21:34:06.878Z",
"dateReserved": "2023-04-27T19:02:38.693Z",
"dateUpdated": "2024-09-23T20:24:01.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-04-11 16:15
Modified
2024-11-21 07:20
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hitachivantara | pentaho_business_analytics | * | |
| hitachivantara | pentaho_business_analytics | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8742C712-625E-494E-9D0D-655E8D6FFEF9",
"versionEndExcluding": "8.3.0.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "518B06EF-2E80-4BD3-9A95-3FA904A61CEF",
"versionEndExcluding": "9.2.0.4",
"versionStartIncluding": "9.2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present. \u00a0\u00a0\n\n"
}
],
"id": "CVE-2022-3695",
"lastModified": "2024-11-21T07:20:02.980",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-11T16:15:07.050",
"references": [
{
"source": "security.vulnerabilities@hitachivantara.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739451011981"
}
],
"sourceIdentifier": "security.vulnerabilities@hitachivantara.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-11 16:15
Modified
2024-11-21 07:27
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hitachivantara | pentaho_business_analytics | * | |
| hitachivantara | pentaho_business_analytics | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8742C712-625E-494E-9D0D-655E8D6FFEF9",
"versionEndExcluding": "8.3.0.27",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "518B06EF-2E80-4BD3-9A95-3FA904A61CEF",
"versionEndExcluding": "9.2.0.4",
"versionStartIncluding": "9.2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nHitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API. \u00a0\u00a0\n\n"
}
],
"id": "CVE-2022-43770",
"lastModified": "2024-11-21T07:27:12.087",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-11T16:15:07.250",
"references": [
{
"source": "security.vulnerabilities@hitachivantara.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/14739303079053"
}
],
"sourceIdentifier": "security.vulnerabilities@hitachivantara.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-28 01:29
Modified
2025-04-20 01:37
Severity ?
Summary
In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://jira.pentaho.com/browse/BISERVER-13207 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | http://jira.pentaho.com/browse/BISERVER-3562 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | http://jira.pentaho.com/browse/BISERVER-6599 | Issue Tracking, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/102200 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://jira.pentaho.com/browse/BISERVER-13207 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jira.pentaho.com/browse/BISERVER-3562 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://jira.pentaho.com/browse/BISERVER-6599 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/102200 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hitachivantara | pentaho_business_analytics | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3CDFCB89-00ED-47EA-823E-B24506A054AD",
"versionEndIncluding": "8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Hitachi Vantara Pentaho BA Platform through 8.0, a CSRF issue exists in the Business Analytics application."
},
{
"lang": "es",
"value": "En Hitachi Vantara Pentaho BA Platform hasta la versi\u00f3n 8.0, existe un problema de CSRF en la aplicaci\u00f3n Business Analytics."
}
],
"id": "CVE-2016-10701",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-28T01:29:00.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/102200"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-13207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-3562"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "http://jira.pentaho.com/browse/BISERVER-6599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/102200"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-27 15:18
Modified
2024-11-21 07:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hitachivantara | pentaho_business_analytics | * | |
| hitachivantara | pentaho_business_analytics | 8.3.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:*:*:*:*:*:*:*:*",
"matchCriteriaId": "43991A37-EAC7-40F6-B00C-08F48725C0F8",
"versionEndExcluding": "9.3.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:hitachivantara:pentaho_business_analytics:8.3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EC48F42D-D076-45F5-B572-7609B00C7201",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nHitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.\u00a0\n\n"
},
{
"lang": "es",
"value": "Hitachi Vantara Pentaho Business Analytics Server anterior a las versiones 9.5.0.0 y 9.3.0.4, incluida la 8.3.xx, guarda las contrase\u00f1as del paso Copiar Archivos en texto plano de Hadoop."
}
],
"id": "CVE-2023-2358",
"lastModified": "2024-11-21T07:58:27.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-27T15:18:50.790",
"references": [
{
"source": "security.vulnerabilities@hitachivantara.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.pentaho.com/hc/en-us/articles/19668208622221"
}
],
"sourceIdentifier": "security.vulnerabilities@hitachivantara.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-257"
}
],
"source": "security.vulnerabilities@hitachivantara.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}