CVE-2025-11159: External Script Execution in Hitachi Pentaho
Plattform
java
Komponente
h2database
Behoben in
11.0
CVE-2025-11159 is a critical external script execution vulnerability affecting the H2 Database JDBC driver used by Hitachi Pentaho Data Integration & Analytics. This flaw allows an attacker, specifically a data source administrator, to execute arbitrary code on the system. Versions 1.0.0 through 11.0 are vulnerable, and a fix is available in version 11.0.
Erkenne diese CVE in deinem Projekt
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Auswirkungen und Angriffsszenarien
The impact of CVE-2025-11159 is severe. Successful exploitation allows an attacker to execute arbitrary code within the context of the Pentaho application, potentially gaining full control of the underlying system. This could lead to data breaches, system compromise, and disruption of business operations. The vulnerability stems from the H2 JDBC driver's handling of connection creation, where insufficient validation of administrator-provided input allows for the injection of malicious scripts. Given Pentaho's role in data integration and analytics, the potential for data exfiltration and manipulation is significant.
Ausnutzungskontext
The vulnerability's criticality (CVSS 9.1) and the potential for remote code execution suggest a high likelihood of exploitation. While no public exploits are currently known, the ease of exploitation (requiring only administrator privileges within Pentaho) makes it an attractive target. The vulnerability was published on 2026-05-13, and it is advisable to prioritize remediation. It is not currently listed on KEV or EPSS, but the high CVSS score warrants close monitoring.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Hoch — Administrator- oder Privilegienkonto erforderlich.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserved
- Veröffentlicht
Mitigation und Workarounds
The primary mitigation for CVE-2025-11159 is to upgrade Hitachi Pentaho Data Integration & Analytics to version 11.0 or later, which contains the fix. If immediate upgrading is not possible, consider restricting data source administrator privileges to minimize the attack surface. Implement strict input validation on any data source configuration parameters. While a WAF might offer some protection, it is unlikely to be effective against this type of injection. Monitor Pentaho logs for suspicious activity related to connection creation and JDBC driver usage. After upgrading, verify the fix by attempting to create a new data source connection with potentially malicious input and confirming that the script execution is prevented.
So behebenwird übersetzt…
Actualice el controlador JDBC de H2 a la versión 10.2.0.7 o superior, o a la versión 11.0 o superior, para mitigar la vulnerabilidad de ejecución de scripts externos. Verifique la configuración de la fuente de datos para asegurar que solo usuarios autorizados puedan crear nuevas conexiones. Consulte la documentación de Hitachi Vantara Pentaho para obtener instrucciones específicas de actualización.
Häufig gestellte Fragen
What is CVE-2025-11159 — External Script Execution in Hitachi Pentaho?
CVE-2025-11159 is a critical vulnerability in Hitachi Pentaho Data Integration & Analytics versions 1.0.0–11.0. It allows a data source administrator to execute arbitrary code via the H2 JDBC driver during connection creation, potentially leading to system compromise.
Am I affected by CVE-2025-11159 in Hitachi Pentaho?
If you are using Hitachi Pentaho Data Integration & Analytics versions 1.0.0 through 11.0, you are potentially affected by this vulnerability. Assess your environment and prioritize upgrading to a patched version.
How do I fix CVE-2025-11159 in Hitachi Pentaho?
The recommended fix is to upgrade Hitachi Pentaho Data Integration & Analytics to version 11.0 or later. If upgrading is not immediately possible, restrict data source administrator privileges and implement strict input validation.
Is CVE-2025-11159 being actively exploited?
While no public exploits are currently known, the vulnerability's criticality and ease of exploitation suggest a potential for active exploitation. Continuous monitoring and proactive remediation are crucial.
Where can I find the official Hitachi advisory for CVE-2025-11159?
Refer to the official Hitachi Vantara security advisory for CVE-2025-11159 on the Hitachi website. Search for 'Hitachi Pentaho CVE-2025-11159' to locate the relevant advisory.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Scannen Sie jetzt Ihr Java / Maven-Projekt – kein Konto
Laden Sie Ihr pom.xml hoch und erhalten Sie den Schwachstellenbericht sofort. Kein Konto. Das Hochladen der Datei ist nur der Anfang: mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack-/E-Mail-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...