Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
CVE-2023-3517

8.5HIGH

Key Information:

Vendor: Hitachi
Status: Pentaho Data Integration & Analytics
Vendor: CVE Published:; 12 December 2023

What is CVE-2023-3517?

The vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics arises from the lack of restrictions on JNDI identifiers during XActions creation. This flaw can lead to unauthorized manipulation of system-level data sources, potentially allowing attackers to gain access to sensitive information or disrupt data integration processes. Users are advised to upgrade to the secure versions to mitigate potential risks.

Affected Version(s)

Pentaho Data Integration & Analytics 1.0 < 9.3.0.5

Pentaho Data Integration & Analytics 9.4.0.0 < 9.5.0.1

References

https://support.pentaho.com/hc/en-us/articles/19668665099533

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Markus Wulftange

JSON