Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, expose Hadoop cluster credentials in plain text through the Cluster Test API. The vendor notes that while users should not see these credentials explicitly, the defect's impact is mitigated because authenticated users can already leverage those same credentials to submit jobs under the sa [truncated]
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6 and 11.0.0.0, including 9.3.x and 8.3.x, contain an incorrect permission assignment vulnerability (CWE-732) affecting API endpoints related to platform mail notifications. The vulnerability allows authenticated users with low privileges to bypass access control lists (ACLs) on certain mail notification APIs, potentially enabling [truncated]
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.7 and 11.0.0.0, including 9.3.x and 8.3.x, contain an XML External Entity (XXE) injection vulnerability due to improper restriction of XML external entity references. The vulnerability, published 2026-05-27, allows authenticated attackers with network access to potentially read arbitrary files or conduct server-side request forger [truncated]
Known exploitedHitachi VantaraCVE published 2025-03-03
CVE-2022-43939 is a Hitachi Vantara Pentaho Business Analytics (BA) Server authorization bypass issue tied to non-canonical URL paths being used for authorization decisions. CISA lists it in the Known Exploited Vulnerabilities catalog, so defenders should treat it as an actively relevant exposure and prioritize remediation on any affected Pentaho BA Server instance.
Known exploitedHitachi VantaraCVE published 2025-03-03
CVE-2022-43769 is a CISA Known Exploited Vulnerability affecting Hitachi Vantara Pentaho Business Analytics (BA) Server. The KEV record identifies it as a special element injection issue and points to vendor guidance for mitigation. Because CISA has flagged it for active exploitation, organizations running Pentaho BA Server should treat it as a high-priority remediation item, especially for versions noted [truncated]
