CVE-2024-5706

CVE-2024-5706 is a resource injection vulnerability (CWE-99) in Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including the 8.3.x series. The issue arises because the software receives input from an upstream component without properly restricting it before using it as an identifier for resources outside its intended control. Specifically, it fails to restrict JNDI identifiers during the creation of Community Dashboards, enabling attackers to control system-level data sources.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high confidentiality, integrity, and availability impacts (CVSS 8.8). This allows unauthorized access to or modification of sensitive data and system resources, including protected files and directories such as configuration files containing sensitive information, potentially leading to remote code execution.

The official advisory from Hitachi Vantara Pentaho support indicates that the vulnerability has been resolved in versions 10.2.0.0 and 9.3.0.9. Security practitioners should apply these patches to mitigate the risk, as affected versions remain vulnerable to exploitation by low-privileged users.