CVE-2025-11159 | THREATINT

Description

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

PUBLISHED Reserved 2025-09-29 | Published 2026-05-13 | Updated 2026-05-13 | Assigner HITVAN

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-1395: Dependency on Vulnerable Third-Party Component

Product status

Default status

unaffected

1.0 (maven) before 10.2.0.7

affected

1.0 (maven) before 11.0

affected

Credits

Nir Zadok (nirza) and Moshe Siman Tov Bustan from OX Security finder

References

support.pentaho.com/...-and-11-0-0-0-Impacted-CVE-2025-11159

cve.org (CVE-2025-11159)

nvd.nist.gov (CVE-2025-11159)

Download JSON