CVE-2024-37361

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, deserialize untrusted JSON data without constraining the parser to approved classes and methods. When developers place no restrictions on "gadget chains," or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361

Configurations

No configuration.

History

20 Feb 2025, 15:15

Type	Values Removed	Values Added
Summary		(es) La aplicación deserializa datos no confiables sin verificar suficientemente que los datos resultantes sean válidos. (CWE-502) Las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 10.2.0.0 y 9.3.0.9, incluida la 8.3.x, deserializan datos JSON no confiables sin restringir el analizador a clases y métodos aprobados. Cuando los desarrolladores no imponen restricciones a las "gadget chains", o series de instancias e invocaciones de métodos que pueden autoejecutarse durante el proceso de deserialización (es decir, antes de que el objeto se devuelva al autor de la llamada), a veces es posible que los atacantes las aprovechen para realizar acciones no autorizadas.
References	{'url': 'https://support.pentaho.com/hc/en-us/articles/34298351866893--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Neutralization-of-Input-During-Web-Page-Generation-Cross-site-Scripting-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37360', 'source': 'security.vulnerabilities@hitachivantara.com'}	() https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361 -

20 Feb 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-20 00:15

Updated : 2025-02-20 15:15

NVD link : CVE-2024-37361

Mitre link : CVE-2024-37361

CVE.ORG link : CVE-2024-37361

JSON object : View

Products Affected

No product.

CWE

CWE-502

Deserialization of Untrusted Data

9.9 /10