Insecure Credential Storage in Hitachi Vantara Pentaho Data Integration & Analytics
CVE-2024-37362

6.3MEDIUM

Key Information:

Vendor: Hitachi
Status: Pentaho Data Integration & Analytics; Pentaho Business Analytics Server
Vendor: CVE Published:; 20 February 2025

Summary

The Hitachi Vantara Pentaho Data Integration & Analytics product transmits and stores authentication credentials insecurely, making it vulnerable to unauthorized interception or retrieval. Adversaries could exploit this weakness by accessing sensitive information, such as database passwords stored when saving connections to services like RedShift. Without proper protection measures, such disclosure can lead to significant security risks, allowing further exploitation of the affected systems.

Affected Version(s)

Pentaho Business Analytics Server 1.0 < 9.3.0.8

Pentaho Data Integration & Analytics 10.0 < 10.2.0.0

References

https://support.pentaho.com/hc/en-us/articles/34296552220...

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 20, 2025