CVE-2025-11158 (GCVE-0-2025-11158)

Vulnerability from cvelistv5 – Published: 2026-03-09 22:12 – Updated: 2026-03-10 18:42
VLAI?
Title
Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization
Summary
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Hitachi Vantara Pentaho Data Integration and Analytics Affected: 1.0 , ≤ 9.3.* (maven)
Affected: 10.0 , < 10.2.0.6 (maven)
Create a notification for this product.
Credits
Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11158",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T14:34:15.156923Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-10T14:34:25.010Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-10T18:42:40.262Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.ox.security/blog/cve-2025-11158/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Pentaho Data Integration and Analytics",
          "vendor": "Hitachi Vantara",
          "versions": [
            {
              "lessThanOrEqual": "9.3.*",
              "status": "affected",
              "version": "1.0",
              "versionType": "maven"
            },
            {
              "lessThan": "10.2.0.6",
              "status": "affected",
              "version": "10.0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE."
            }
          ],
          "value": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-09T22:12:51.587Z",
        "orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
        "shortName": "HITVAN"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization",
      "x_generator": {
        "engine": "Vulnogram 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13",
    "assignerShortName": "HITVAN",
    "cveId": "CVE-2025-11158",
    "datePublished": "2026-03-09T22:12:51.587Z",
    "dateReserved": "2025-09-29T14:53:43.455Z",
    "dateUpdated": "2026-03-10T18:42:40.262Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-11158\",\"sourceIdentifier\":\"security.vulnerabilities@hitachivantara.com\",\"published\":\"2026-03-10T16:23:22.560\",\"lastModified\":\"2026-03-11T13:53:47.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u00a0arbitrary scripts and leading to a RCE.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security.vulnerabilities@hitachivantara.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security.vulnerabilities@hitachivantara.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158\",\"source\":\"security.vulnerabilities@hitachivantara.com\"},{\"url\":\"https://www.ox.security/blog/cve-2025-11158/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.ox.security/blog/cve-2025-11158/\"}], \"x_generator\": {\"engine\": \"ADPogram 0.0.1\"}, \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-03-10T18:42:40.262Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-11158\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T14:34:15.156923Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T14:34:17.891Z\"}}], \"cna\": {\"title\": \"Hitachi Vantara Pentaho Data Integration \u0026 Analytics - Missing Authorization\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security\"}], \"impacts\": [{\"capecId\": \"CAPEC-1\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Hitachi Vantara\", \"product\": \"Pentaho Data Integration and Analytics\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0\", \"versionType\": \"maven\", \"lessThanOrEqual\": \"9.3.*\"}, {\"status\": \"affected\", \"version\": \"10.0\", \"lessThan\": \"10.2.0.6\", \"versionType\": \"maven\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Hitachi Vantara Pentaho Data Integration \u0026 Analytics versions before 10.2.0.6, including 9.3.x and\\u00a08.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\\u00a0arbitrary scripts and leading to a RCE.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Hitachi Vantara Pentaho Data Integration \u0026amp; Analytics versions before 10.2.0.6, including 9.3.x and\u0026nbsp;8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of\u0026nbsp;arbitrary scripts and leading to a RCE.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"dce6e192-ff49-4263-9134-f0beccb9bc13\", \"shortName\": \"HITVAN\", \"dateUpdated\": \"2026-03-09T22:12:51.587Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-11158\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T18:42:40.262Z\", \"dateReserved\": \"2025-09-29T14:53:43.455Z\", \"assignerOrgId\": \"dce6e192-ff49-4263-9134-f0beccb9bc13\", \"datePublished\": \"2026-03-09T22:12:51.587Z\", \"assignerShortName\": \"HITVAN\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.