PT-2023-15592 · Hitachi Vantara · Pentaho Business Analytics Server
Clarence Liau
·
Published
2023-05-24
·
Updated
2023-06-01
·
CVE-2022-4815
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Pentaho Business Analytics Server versions prior to 9.4.0.1
Pentaho Business Analytics Server versions prior to 9.3.0.3
Pentaho Business Analytics Server version 8.3.x
Description
The issue concerns the deserialization of untrusted JSON data without proper constraints on the parser, allowing it to access unapproved classes and methods.
Recommendations
For versions prior to 9.4.0.1, update to version 9.4.0.1 or later.
For versions prior to 9.3.0.3, update to version 9.3.0.3 or later.
For version 8.3.x, consider upgrading to a newer version that includes the necessary security fixes, as version 8.3.x is affected.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pentaho Business Analytics Server