{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6697", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "state": "PUBLISHED", "assignerShortName": "HITVAN", "dateReserved": "2024-07-11T15:18:02.001Z", "datePublished": "2025-02-19T23:32:18.713Z", "dateUpdated": "2025-02-20T17:23:54.281Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pentaho Data Integration & Analytics", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "10.2.0.0", "status": "affected", "version": "10.0", "versionType": "maven"}]}, {"defaultStatus": "unaffected", "product": "Pentaho Business Analytics Server", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "9.3.0.9", "status": "affected", "version": "1.0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Hitachi Group Member"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p><span style=\"background-color: var(--wht);\">The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)</span></p></div><div><p>&nbsp;</p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.</span></p></div><div><p>&nbsp;</p></div><div><p><span style=\"background-color: var(--wht);\">An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.</span></p></div>"}], "value": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n\u00a0\n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact."}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2025-02-19T23:32:18.713Z"}, "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697"}], "source": {"discovery": "UNKNOWN"}, "title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Handling of Insufficient Permissions or Privileges", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-20T17:23:21.950806Z", "id": "CVE-2024-6697", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T17:23:54.281Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6697", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-20T17:23:21.950806Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T17:23:50.763Z"}}], "cna": {"title": "Hitachi Vantara Pentaho Business Analytics Server - Improper Handling of Insufficient Permissions or Privileges", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Hitachi Group Member"}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Vantara", "product": "Pentaho Data Integration & Analytics", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.2.0.0", "versionType": "maven"}], "defaultStatus": "unaffected"}, {"vendor": "Hitachi Vantara", "product": "Pentaho Business Analytics Server", "versions": [{"status": "affected", "version": "1.0", "lessThan": "9.3.0.9", "versionType": "maven"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n\u00a0\n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.", "supportingMedia": [{"type": "text/html", "value": "<div><p><span style=\"background-color: var(--wht);\">The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)</span></p></div><div><p>&nbsp;</p></div><div><p><span style=\"background-color: var(--wht);\">Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.</span></p></div><div><p>&nbsp;</p></div><div><p><span style=\"background-color: var(--wht);\">An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.</span></p></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-280", "description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2025-02-19T23:32:18.713Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6697", "state": "PUBLISHED", "dateUpdated": "2025-02-20T17:23:54.281Z", "dateReserved": "2024-07-11T15:18:02.001Z", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "datePublished": "2025-02-19T23:32:18.713Z", "assignerShortName": "HITVAN"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n\u00a0\n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact."}], "id": "CVE-2024-6697", "lastModified": "2025-02-20T00:15:20.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}, "published": "2025-02-20T00:15:20.010", "references": [{"source": "security.vulnerabilities@hitachivantara.com", "url": "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697"}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}

{}