CVE-2024-28982 Vulnerability Details

  /     /     /  

CVE-2024-28982 Metadata Quick Info

CVE Published: 26/06/2024 | CVE Updated: 11/09/2024 | CVE Year: 2024
Source: HITVAN | Vendor: Hitachi Vantara | Product: Pentaho Business Analytics Server
Status : PUBLISHED

---

CVE-2024-28982 Description

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

Metrics

CVSS Version: 3.1 | Base Score: 7.1 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* NONE
    Integrity Impact (I)* LOW
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-776
CWE Name: CWE-776 Improper Restriction of Recursive Entity References in DTDs ( XML Entity Expansion )
Source: Hitachi Vantara

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-197
CAPEC Description: CAPEC-197 Exponential Data Expansion


Source: NVD (National Vulnerability Database).