CVE-2025-0758

16.04.2025, 23:15

Overview

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. (CWE-732)

Description

Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed with Karaf JMX beans enabled and accessible by default.

Impact

When the vulnerability is leveraged, a user with local execution privileges can access functionality exposed by Karaf beans contained in the product.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
HITVAN	CNA	6.1 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Common Weakness Enumeration

CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://support.pentaho.com/hc/en-us/articles/35781318194061--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Permission-Assignment-for-Critical-Resource-Versions-before-10-2-0-2-including-9-3-x-Impacted-CVE-2025-0758