CVE-2025-0758

MEDIUM

Hitachi Vantara Pentaho <10.2.0.2 - Info Disclosure

Title source: llm

Description

Overview The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732) Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default. Impact When the vulnerability is leveraged, a user with local execution privileges can access functionality exposed by Karaf beans contained in the product.

References (1)

[Various Sources] https://support.pentaho.com/hc/en-us/articles/35781318194061--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0758

Scores

CVSS v3 6.1

EPSS 0.0005

EPSS Percentile 14.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-732

Status published

Products (2)

Hitachi Vantara/Pentaho Business Analytics Server 1.0 - 9.3.*

Hitachi Vantara/Pentaho Business Analytics Server 10.0 - 10.2.0.2

Published Apr 16, 2025

Tracked Since Feb 18, 2026