PT-2023-25181 · Hitachi Vantara · Pentaho Data Integration & Analytics

Markus Wulftange

Published

2023-12-12

Updated

2023-12-18

CVE-2023-3517

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 9.5.0.1 Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 9.3.0.5 Hitachi Vantara Pentaho Data Integration & Analytics version 8.3.x

Description The issue allows control of system level data sources due to the lack of restriction on JNDI identifiers during the creation of XActions.

Recommendations For versions prior to 9.5.0.1, update to version 9.5.0.1 or later. For versions prior to 9.3.0.5, update to version 9.3.0.5 or later. For version 8.3.x, consider restricting the creation of XActions or disabling the feature until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-99

Related Identifiers

CVE-2023-3517

Affected Products

Pentaho Data Integration & Analytics

PT-2023-25181 · Hitachi Vantara · Pentaho Data Integration & Analytics

CVE-2023-3517

Weakness Enumeration

Related Identifiers

Affected Products

References · 6