{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28982", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "state": "PUBLISHED", "assignerShortName": "HITVAN", "dateReserved": "2024-03-13T19:18:14.913Z", "datePublished": "2024-06-26T22:37:01.285Z", "dateUpdated": "2024-09-11T23:39:29.658Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Pentaho User Console"], "product": "Pentaho Business Analytics Server", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "9.3.0.7", "status": "affected", "version": "1.0", "versionType": "maven"}, {"lessThan": "10.1.0.0", "status": "affected", "version": "8.3", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yesenia Trejo - Strike Security"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>"}], "value": "Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference."}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-776", "description": "CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2024-09-11T23:39:29.658Z"}, "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982"}], "source": {"discovery": "UNKNOWN"}, "title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "hitachi_vantara", "product": "pentaho_business_analytics_server", "cpes": ["cpe:2.3:a:hitachi_vantara:pentaho_business_analytics_server:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.0", "status": "affected", "lessThan": "9.3.0.7", "versionType": "maven"}, {"version": "8.3", "status": "affected", "lessThan": "10.1.0.0", "versionType": "maven"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T19:05:59.725032Z", "id": "CVE-2024-28982", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T19:15:50.518Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.450Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.450Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28982", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T19:05:59.725032Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:hitachi_vantara:pentaho_business_analytics_server:*:*:*:*:*:*:*:*"], "vendor": "hitachi_vantara", "product": "pentaho_business_analytics_server", "versions": [{"status": "affected", "version": "1.0", "lessThan": "9.3.0.7", "versionType": "maven"}, {"status": "affected", "version": "8.3", "lessThan": "10.1.0.0", "versionType": "maven"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T19:12:11.934Z"}}], "cna": {"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Yesenia Trejo - Strike Security"}], "impacts": [{"capecId": "CAPEC-197", "descriptions": [{"lang": "en", "value": "CAPEC-197 Exponential Data Expansion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Vantara", "modules": ["Pentaho User Console"], "product": "Pentaho Business Analytics Server", "versions": [{"status": "affected", "version": "1.0", "lessThan": "9.3.0.7", "versionType": "maven"}, {"status": "affected", "version": "8.3", "lessThan": "10.1.0.0", "versionType": "maven"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-776", "description": "CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2024-09-11T23:39:29.658Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28982", "state": "PUBLISHED", "dateUpdated": "2024-09-11T23:39:29.658Z", "dateReserved": "2024-03-13T19:18:14.913Z", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "datePublished": "2024-06-26T22:37:01.285Z", "assignerShortName": "HITVAN"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hitachi:pentaho_business_analytics_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A2AC542-B90F-4FF4-A92E-9D6B16CFC68D", "versionEndExcluding": "9.3.0.7", "versionStartIncluding": "8.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hitachi:pentaho_business_analytics_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBB989D9-613E-472B-9F38-DF5C9F19873C", "versionEndExcluding": "10.1.0.0", "versionStartIncluding": "9.3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference."}, {"lang": "es", "value": " Las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 10.1.0.0 y 9.3.0.7, incluida 8.3.x, no protegen correctamente el endpoint del servicio ACL de Pentaho User Console contra la referencia de entidad externa XML."}], "id": "CVE-2024-28982", "lastModified": "2024-09-18T14:36:53.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}, "published": "2024-06-26T23:15:19.287", "references": [{"source": "security.vulnerabilities@hitachivantara.com", "tags": ["Vendor Advisory"], "url": "https://support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Restriction-of-XML-External-Entity-Reference-versions-before-10-1-0-0-and-9-3-0-7-including-8-3-x-Impacted-CVE-2024-28982"}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-776"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-776"}], "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}

{}