CVE-2024-28982 HIGH

CVE-2024-28982: Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference

Vendor Hitachi Vantara
Product Pentaho Business Analytics Server
Weakness CWE-776
Published June 26, 2024
Last update September 11, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

Key dates

02Disclosure timeline

June 26, 2024 CVE published
September 11, 2024 Record updated