CVE-2024-5705

CVE-2024-5705 is an incorrect authorization vulnerability (CWE-863) affecting Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x series. The issue stems from flawed authorization checks that fail to properly restrict access to resources or actions, allowing attackers to bypass intended controls. Additionally, modules are enabled by default in these versions that permit execution of system-level processes, exacerbating the risk. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity.

Low-privileged remote users (PR:L) can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required. Successful exploitation enables attackers to access unauthorized data, perform restricted actions, and execute system-level processes, potentially leading to information disclosure, arbitrary code execution, denial of service, and other impacts across confidentiality, integrity, and availability.

The official Pentaho support advisory confirms the issue as resolved in versions 10.2.0.0 and 9.3.0.9, recommending upgrades to these patched releases for mitigation. Administrators should verify module configurations to disable unnecessary system process execution capabilities where possible.