CVE-2024-28982

EUVD-2024-26044
Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.
XML Entity Expansion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
Affected Products (NVD)
VendorProductVersion
hitachipentaho_business_analytics_server
8.3.0 ≤
𝑥
< 9.3.0.7
hitachipentaho_business_analytics_server
9.3.1.0 ≤
𝑥
< 10.1.0.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
hitachi_vantarapentaho_business_analytics_server
1.0 ≤
𝑥
< 9.3.0.7
ADP
hitachi_vantarapentaho_business_analytics_server
8.3 ≤
𝑥
< 10.1.0.0
ADP
Common Weakness Enumeration
References
https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982
https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982