CVE-2024-28982

EPSS 0.3%
Veröffentlicht 26.06.2024 23:15:19
Zuletzt bearbeitet 21.11.2024 09:07:19
Quelle security.vulnerabilities@hitac
Teams Watchlist Login
Unerledigt Login

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hitachi ≫ Pentaho Business Analytics Server Version >= 8.3.0 < 9.3.0.7

Hitachi ≫ Pentaho Business Analytics Server Version >= 9.3.1.0 < 10.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.3%	0.528

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
security.vulnerabilities@hitachivantara.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-28982

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-28982

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-28982

EUVD