{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-11158","assignerOrgId":"dce6e192-ff49-4263-9134-f0beccb9bc13","state":"PUBLISHED","assignerShortName":"HITVAN","dateReserved":"2025-09-29T14:53:43.455Z","datePublished":"2026-03-09T22:12:51.587Z","dateUpdated":"2026-03-10T18:42:40.262Z"},"containers":{"cna":{"providerMetadata":{"orgId":"dce6e192-ff49-4263-9134-f0beccb9bc13","shortName":"HITVAN","dateUpdated":"2026-03-09T22:12:51.587Z"},"title":"Hitachi Vantara Pentaho Data Integration & Analytics - Missing Authorization","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-862","description":"CWE-862: Missing Authorization","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-1","descriptions":[{"lang":"en","value":"CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}],"affected":[{"vendor":"Hitachi Vantara","product":"Pentaho Data Integration and Analytics","versions":[{"status":"affected","version":"1.0","lessThanOrEqual":"9.3.*","versionType":"maven"},{"status":"affected","version":"10.0","lessThan":"10.2.0.6","versionType":"maven"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE.","supportingMedia":[{"type":"text/html","base64":false,"value":"Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE."}]}],"references":[{"url":"https://support.pentaho.com/hc/en-us/articles/39975058295821--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Missing-Authorization-Versions-before-10-2-0-6-impacted-CVE-2025-11158","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"CRITICAL","baseScore":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}}],"credits":[{"lang":"en","value":"Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-10T14:34:15.156923Z","id":"CVE-2025-11158","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-10T14:34:25.010Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-03-10T18:42:40.262Z"},"references":[{"url":"https://www.ox.security/blog/cve-2025-11158/"}],"title":"CVE Program Container","x_generator":{"engine":"ADPogram 0.0.1"}}]}}