CVE-2024-37362

{"id": "CVE-2024-37362", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2025-02-20T00:15:19.630", "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/34296552220941--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Insufficiently-Protected-Credentials-Versions-before-10-2-0-0-and-9-3-0-8-including-8-3-x-Impacted-CVE-2024-37362", "source": "security.vulnerabilities@hitachivantara.com"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "security.vulnerabilities@hitachivantara.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. (CWE-522) \n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.8, including 8.3.x, discloses database passwords when saving connections to RedShift.\n\n\n\n\u00a0\n\n\n\nProducts must not disclose sensitive information without cause. Disclosure of sensitive information can lead to further exploitation."}], "lastModified": "2025-02-20T00:15:19.630", "sourceIdentifier": "security.vulnerabilities@hitachivantara.com"}