CVE-2024-37361

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x

Description The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process, it is sometimes possible for attackers to leverage them to perform unauthorized actions.

Recommendations For Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x, update to version 10.2.0.0 or 9.3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting the deserialization of untrusted JSON data to approved classes and methods. Restrict access to vulnerable API endpoints to minimize the risk of exploitation. Avoid using vulnerable parameters or variables in the affected API endpoints until the issue is resolved. At the moment, there is no other information about additional mitigation measures.