Lucene search

HITVANCVELIST:CVE-2022-43941

HistoryApr 03, 2023 - 6:44 p.m.

CVE-2022-43941 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference

2023-04-0318:44:41

CWE-611

HITVAN

www.cve.org

hitachi vantara

pentaho

xml external entity

vulnerability

data access plugin

post analysis service

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS

0.001

Percentile

27.5%

JSON

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.2, including 8.3.x do not correctly protect the Post Analysis service endpoint of the data access plugin against out-of-band XML External Entity Reference.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Data Access Plugin"
    ],
    "product": "Pentaho Business Analytics Server",
    "vendor": "Hitachi Vantara ",
    "versions": [
      {
        "lessThan": "9.3.0.2",
        "status": "affected",
        "version": "1.0",
        "versionType": "maven"
      },
      {
        "lessThan": "9.4.0.1",
        "status": "affected",
        "version": "9.4.0.0",
        "versionType": "maven"
      }
    ]
  }
]

References

support.pentaho.com/hc/en-us/articles/14456719346957--Resolved-Pentaho-BA-Server-Improper-Restriction-of-XML-External-Entity-Reference-Versions-before-9-4-0-1-and-9-3-0-2-including-8-3-x-Impacted-CVE-2022-43940-CVE-2022-43941-

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

EPSS

0.001

Percentile

27.5%

JSON

Related for CVELIST:CVE-2022-43941