CVE-2023-3517 HIGH

CVE-2023-3517: Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')

Vendor Hitachi Vantara
Product Pentaho Data Integration & Analytics
Weakness CWE-99
Published December 12, 2023
Last update August 2, 2024

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including 8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.

Key dates

02Disclosure timeline

December 12, 2023 CVE published
August 2, 2024 Record updated