Lucene search

HITVANCVELIST:CVE-2023-3517

HistoryDec 12, 2023 - 10:28 p.m.

CVE-2023-3517 Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')

2023-12-1222:28:08

CWE-99

HITVAN

www.cve.org

hitachi vantara

pentaho

data integration

vulnerability

resource injection

system level data sources

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.5%

JSON

Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including
8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Pentaho Data Integration & Analytics",
    "vendor": "Hitachi Vantara",
    "versions": [
      {
        "lessThan": "9.3.0.5",
        "status": "affected",
        "version": "1.0",
        "versionType": "maven"
      },
      {
        "lessThan": "9.5.0.1",
        "status": "affected",
        "version": "9.4.0.0",
        "versionType": "maven"
      }
    ]
  }
]

References

support.pentaho.com/hc/en-us/articles/19668665099533

8.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.5%

JSON

Related for CVELIST:CVE-2023-3517