CVE-2022-4770

MEDIUM

Hitachi Vantara Pentaho Business Analytics Server < 9.3.0.2 - Sensitive Information Exposure via SQL Error Message

Title source: llm

Description

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).

References (1)

Core 1

Core References

Vendor Advisory

https://support.pentaho.com/hc/en-us/articles/14455209015949--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Generation-of-Error-Message-Containing-Sensitive-Information-Versions-before-9-4-0-0-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-4770-

Scores

CVSS v3 4.3

EPSS 0.0024

EPSS Percentile 47.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-209

Status published

Products (1)

hitachi/vantara_pentaho_business_analytics_server < 9.3.0.2

Published Apr 03, 2023

Tracked Since Feb 18, 2026