CVE-2024-37362 MEDIUM

CVE-2024-37362: Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials

Vendor Hitachi Vantara
Product Pentaho Data Integration & Analytics
Weakness CWE-522 · Insufficiently protected credentials
Published February 19, 2025
Last update February 20, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522)   Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.   Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.

Key dates

02Disclosure timeline

February 19, 2025 CVE published
February 20, 2025 Record updated