Pentaho Data Integration And Analytics
Monthly
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users to retrieve Hadoop cluster credentials via the Cluster Test API response. Affected versions span the 8.3.x, 9.3.x, and 10.x lines up to 10.2.0.6, as well as all pre-11.0.0.0 builds in the 11.x line. The vendor acknowledges partial self-mitigation: because the Cluster Test API is only accessible to users who already hold sufficient privileges to submit Hadoop jobs via the backend API, the incremental credential exposure is constrained - though the plaintext disclosure still enables credential harvesting for lateral movement or offline use. No public exploit code exists and EPSS is negligible at time of analysis.
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. An attacker with a valid low-privilege account can read, modify, or disrupt mail notification configurations, resulting in limited confidentiality, integrity, and availability impact. No public exploit code exists and no active exploitation has been identified at time of analysis.
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
External XML entity resolution in Hitachi Vantara Pentaho Data Integration & Analytics lets an authenticated, low-privileged attacker submit crafted XML that the application's parser resolves, disclosing sensitive local files and enabling server-side request forgery against internal systems. All releases before 10.2.0.7 are affected, as are 11.x branches before 11.0.0.0, explicitly including the 9.3.x and 8.3.x lines. There is no public exploit identified at time of analysis, and the EPSS exploitation probability is very low (0.03%, 8th percentile).
Plaintext credential exposure in Hitachi Vantara Pentaho Data Integration & Analytics allows authenticated network users to retrieve Hadoop cluster credentials via the Cluster Test API response. Affected versions span the 8.3.x, 9.3.x, and 10.x lines up to 10.2.0.6, as well as all pre-11.0.0.0 builds in the 11.x line. The vendor acknowledges partial self-mitigation: because the Cluster Test API is only accessible to users who already hold sufficient privileges to submit Hadoop jobs via the backend API, the incremental credential exposure is constrained - though the plaintext disclosure still enables credential harvesting for lateral movement or offline use. No public exploit code exists and EPSS is negligible at time of analysis.
Missing ACL enforcement on Hitachi Vantara Pentaho Data Integration & Analytics API endpoints allows authenticated low-privileged users to interact with platform mail notification resources without authorization. Affected versions span the 8.3.x, 9.3.x, and pre-10.2.0.6/11.0.0.0 release lines. An attacker with a valid low-privilege account can read, modify, or disrupt mail notification configurations, resulting in limited confidentiality, integrity, and availability impact. No public exploit code exists and no active exploitation has been identified at time of analysis.
Remote code execution in Pentaho Data Integration & Analytics affects all versions through vulnerable H2 database JDBC driver. Authenticated data source administrators can execute arbitrary external scripts during database connection creation, achieving complete system compromise with potential container escape (CVSS scope changed). EPSS data not provided; no CISA KEV listing identified at time of analysis. Vendor advisory indicates patches available in versions 10.2.0.7 and 11.0.0.0.
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.