CVE-2024-37363 MEDIUM

CVE-2024-37363: Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization

Vendor Hitachi Vantara
Product Pentaho Data Integration & Analytics
Weakness CWE-862 · Missing authorization
Published February 19, 2025
Last update February 20, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The product does not perform an authorization check when an actor attempts to access a resource or perform an action. (CWE-862)  Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, do not correctly perform an authorization check in the data source management service. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.

Key dates

02Disclosure timeline

February 19, 2025 CVE published
February 20, 2025 Record updated