Show filters
25 Total Results
Displaying 11-20 of 25
Sort by:
Attacker Value
Unknown

CVE-2024-37359

Disclosure Date: February 19, 2025 (last updated February 20, 2025)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests.   By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts in internal networks, use other URLs such as that can access documents on the system (using file://), or use other protocols such as gopher:// or tftp://, which may provide greater control over the contents of requests.
0
Attacker Value
Unknown

CVE-2024-28984

Disclosure Date: June 26, 2024 (last updated September 19, 2024)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.
Attacker Value
Unknown

CVE-2024-28982

Disclosure Date: June 26, 2024 (last updated September 19, 2024)
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
Attacker Value
Unknown

CVE-2023-1158

Disclosure Date: May 24, 2023 (last updated October 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list. 
Attacker Value
Unknown

CVE-2022-4815

Disclosure Date: May 24, 2023 (last updated October 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. 
Attacker Value
Unknown

CVE-2022-4771

Disclosure Date: April 03, 2023 (last updated November 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables. 
Attacker Value
Unknown

CVE-2022-4770

Disclosure Date: April 03, 2023 (last updated November 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt). 
Attacker Value
Unknown

CVE-2022-4769

Disclosure Date: April 03, 2023 (last updated November 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name. 
Attacker Value
Unknown

CVE-2022-43941

Disclosure Date: April 03, 2023 (last updated November 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference. 
Attacker Value
Unknown

CVE-2022-43940

Disclosure Date: April 03, 2023 (last updated November 08, 2023)
Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly perform an authorization check in the data source management service.