CVE-2024-5705 HIGH

CVE-2024-5705: Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization

Vendor Hitachi Vantara

Product Pentaho Data Integration & Analytics

Weakness CWE-863 · Incorrect authorization

Published February 19, 2025

Last update February 20, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures and denial of service.

Key dates

02Disclosure timeline

February 19, 2025 CVE published

February 20, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-5705 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2024-5705

CWE CWE-863

CVSS 8.8 / HIGH

Affected versions

Vendor Hitachi Vantara

Product Pentaho Data Integration & Analytics

Affected ≥ 10.0 and < 10.2.0.0

Vendor Hitachi Vantara

Product Pentaho Business Analytics Server

Affected ≥ 1.0 and < 9.3.0.9

CVE-2024-5705: Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization

01Description

02Disclosure timeline

03References

04Related CVE