Pentaho Data Integration JNDI ID unsanitization in XActions <9.5.0.1/9.3.0.5
CVE-2023-3517 Published on December 12, 2023
Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
Hitachi Vantara Pentaho Data Integration & Analytics versions before 9.5.0.1 and 9.3.0.5, including
8.3.x does not restrict JNDI identifiers during the creation of XActions, allowing control of system level data sources.
Vulnerability Analysis
CVE-2023-3517 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
What is an Insecure Direct Object Reference Vulnerability?
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.
CVE-2023-3517 has been classified to as an Insecure Direct Object Reference vulnerability or weakness.
Products Associated with CVE-2023-3517
Want to know whenever a new CVE is published for Hitachi Pentaho Data Integration Analytics? stack.watch will email you.
Affected Versions
Hitachi Vantara Pentaho Data Integration & Analytics:- Version 1.0 and below 9.3.0.5 is affected.
- Version 9.4.0.0 and below 9.5.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.