Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
AnalysisAI
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.
Technical ContextAI
This vulnerability exploits the H2 database JDBC driver bundled with Pentaho Data Integration & Analytics. CWE-1395 classifies this as a dependency on vulnerable third-party component. H2 is an embedded Java SQL database commonly used for data integration workflows. Historical H2 JDBC vulnerabilities have enabled remote code execution through malicious JDBC connection strings containing embedded JavaScript, SQL, or system commands executed during connection initialization. When data source administrators create new database connections in Pentaho, specially crafted H2 JDBC URLs can trigger external script execution in the context of the application server process. The CVSS scope changed metric indicates the vulnerability can affect resources beyond the vulnerable component's security scope, suggesting potential for container escape or lateral movement in containerized deployments common with Pentaho platforms.
RemediationAI
Upgrade immediately to Pentaho Data Integration & Analytics version 10.2.0.7 (for 10.x deployments) or 11.0.0.0 (for 11.x or new deployments) per vendor advisory at https://support.pentaho.com/hc/en-us/articles/39954640408077. Test upgrades in non-production environments first as major version transitions may introduce compatibility issues with existing data integration workflows, custom plugins, or third-party connectors. If immediate patching is not feasible, implement compensating controls: restrict data source administrator role assignments to minimum necessary personnel with strong multi-factor authentication enforcement; enable comprehensive audit logging of all data source creation and modification activities with alerting on suspicious JDBC URL patterns containing INIT, SCRIPT, or command execution syntax; apply network segmentation to isolate Pentaho instances from sensitive internal networks and databases; disable or remove H2 database connectivity if not operationally required and alternative JDBC drivers (PostgreSQL, MySQL, Oracle) can satisfy use cases. Note that restricting admin access reduces attack surface but does not eliminate vulnerability if those accounts are compromised. Blocking outbound network connections from Pentaho application servers may limit external script retrieval but will not prevent local script execution payloads.
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restr
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privil
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-p
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209821
GHSA-625c-v6wq-2rq5