CVE-2024-6696

MEDIUM

Hitachi Vantara Pentaho <10.2.0.0-9.3.0.9 - Info Disclosure

Title source: llm

Description

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets. (CWE-1220) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not correctly perform an authorization check in the user console trash content An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network.

References (1)

[Various Sources] https://support.pentaho.com/hc/en-us/articles/34296877157517--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Insufficient-Granularity-of-Access-Control-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6696

Scores

CVSS v3 4.9

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1220

Status published

Products (2)

Hitachi Vantara/Pentaho Business Analytics Server 1.0 - 9.3.0.9

Hitachi Vantara/Pentaho Data Integration & Analytics 10.0 - 10.2.0.0

Published Feb 20, 2025

Tracked Since Feb 18, 2026