CVE-2024-37362

MEDIUM

Hitachi Vantara Pentaho Data Integration & Analytics <10.2.0.0-9.3....

Title source: llm

Description

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift. Products must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation.

References (1)

[Various Sources] https://support.pentaho.com/hc/en-us/articles/34296552220941--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37362

Scores

CVSS v3 6.3

EPSS 0.0014

EPSS Percentile 34.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (2)

Hitachi Vantara/Pentaho Business Analytics Server 1.0 - 9.3.0.8

Hitachi Vantara/Pentaho Data Integration & Analytics 10.0 - 10.2.0.0

Published Feb 20, 2025

Tracked Since Feb 18, 2026