CVE-2024-37361

CVE-2024-37361 is a deserialization of untrusted data vulnerability (CWE-502) affecting Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x. The application deserializes untrusted JSON data without sufficiently verifying that the resulting data will be valid or constraining the parser to approved classes and methods. This lack of restrictions on gadget chains—series of instances and method invocations that can self-execute during deserialization—allows attackers to leverage them for unauthorized actions.

The vulnerability has a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity and no user interaction, but requires low privileges. An authenticated attacker with low privileges can supply malicious JSON data, triggering gadget chains during deserialization to achieve high-impact confidentiality, integrity, and availability compromises, including potential remote code execution before the object is returned to the caller.

The Hitachi Vantara Pentaho support advisory confirms the issue is resolved in versions 10.2.0.0 and 9.3.0.9. Security practitioners should upgrade affected installations to these versions for mitigation. Details are available at https://support.pentaho.com/hc/en-us/articles/34299135441805--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Deserialization-of-Untrusted-Data-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37361.