A recently published bulletin from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) notified of two security flaws affecting older versions of Hitachi Vantara Pentaho Business Analytics Server.
These two issues relate to older versions of our analytics software and have long since been identified and addressed with fixes. Please refer to the following notifications for more information:

• CVE-2022-43939: (Resolved) Pentaho BA Server - Use of Non-Canonical URL Paths for Authorization Decisions
• CVE-2022-43769: (Resolved) Pentaho BA Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

If any of the information presented above remains unclear, please contact Pentaho Support or your authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.