CVE-2024-28982

EPSS 0.3%
Published 26.06.2024 23:15:19
Last modified 21.11.2024 09:07:19
Source security.vulnerabilities@hitac
Teams watchlist Login
Open Login

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Hitachi ≫ Pentaho Business Analytics Server Version >= 8.3.0 < 9.3.0.7

Hitachi ≫ Pentaho Business Analytics Server Version >= 9.3.1.0 < 10.1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.528

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
security.vulnerabilities@hitachivantara.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-28982

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-28982

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-28982

EUVD