Improper Control of Resource Identifiers in Hitachi Vantara Pentaho Data Integration & Analytics
CVE-2024-5706

8.8HIGH

Key Information:

Vendor: Hitachi
Status: Pentaho Data Integration & Analytics; Pentaho Business Analytics Server
Vendor: CVE Published:; 19 February 2025

Summary

The vulnerability in Hitachi Vantara Pentaho Data Integration & Analytics is due to insufficient controls on JNDI identifiers when creating Community Dashboards. This lack of restrictions can allow attackers to manipulate how system-level data sources are accessed. An attacker could potentially gain unauthorized access to sensitive data and system resources, leading to the possibility of accessing protected files, including configuration files containing sensitive information. Ultimately, this flaw could enable remote code execution by unauthorized individuals, posing a significant threat to data integrity and security.

Affected Version(s)

Pentaho Business Analytics Server 1.0 < 9.3.0.9

Pentaho Data Integration & Analytics 10.0 < 10.2.0.0

References

https://support.pentaho.com/hc/en-us/articles/34296195570...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 19, 2025
Vulnerability Reserved
Jun 6, 2024

Credit

tuo4n8 & thongvv (GE) from VNG Security Response Center