FKIE_CVE-2024-6697

Vulnerability from fkie_nvd - Published: 2025-02-20 00:15 - Updated: 2025-02-20 00:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)   Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.   An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact.
References
security.vulnerabilities@hitachivantara.comhttps://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. (CWE-280)\n\n\n\n\u00a0\n\n\n\nHitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not handle invalid and missing permissions correctly, resulting in a denial of service.\n\n\n\n\u00a0\n\n\n\nAn adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact."
    },
    {
      "lang": "es",
      "value": "El producto no gestiona o gestiona incorrectamente cuando no tiene suficientes privilegios para acceder a los recursos o la funcionalidad seg\u00fan lo especificado por sus permisos. Esto puede provocar que siga rutas de c\u00f3digo inesperadas que pueden dejar al producto en un estado no v\u00e1lido. (CWE-280) Las versiones de Hitachi Vantara Pentaho Business Analytics Server anteriores a 10.2.0.0 y 9.3.0.9, incluida la 8.3.x, no manejan correctamente los permisos no v\u00e1lidos o faltantes, lo que da como resultado una denegaci\u00f3n de servicio. Un adversario aprovecha una capacidad leg\u00edtima de una aplicaci\u00f3n de tal manera que logra un impacto t\u00e9cnico negativo."
    }
  ],
  "id": "CVE-2024-6697",
  "lastModified": "2025-02-20T00:15:20.010",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security.vulnerabilities@hitachivantara.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-20T00:15:20.010",
  "references": [
    {
      "source": "security.vulnerabilities@hitachivantara.com",
      "url": "https://support.pentaho.com/hc/en-us/articles/34296654642701--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Improper-Handling-of-Insufficient-Permissions-or-Privileges-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-6697"
    }
  ],
  "sourceIdentifier": "security.vulnerabilities@hitachivantara.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-280"
        }
      ],
      "source": "security.vulnerabilities@hitachivantara.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.