CVE-2024-5706

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x

Description The product receives input from an upstream component but does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. This could allow an attacker to gain access to or modify sensitive data or system resources, potentially leading to remote code execution by unauthorized users.

Recommendations For versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x, update to version 10.2.0.0 or 9.3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the JNDI identifiers during the creation of Community Dashboards to minimize the risk of exploitation. Restrict access to sensitive data and system resources to prevent unauthorized access or modification.