CVE-2024-57971

CVE-2024-57971 is a vulnerability in DataSourceResource.java within the SpagoBI API support of Knowage Server in KNOWAGE versions before 8.1.30. The flaw arises because the component fails to validate that JNDI names begin with "java:comp/env/jdbc/", allowing improper handling of resource identifiers (CWE-99). It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact network-accessible exploitation.

A high-privileged remote attacker (PR:H) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high confidentiality, integrity, and availability impacts across a changed scope (S:C), potentially allowing the attacker to manipulate JNDI lookups beyond intended data source contexts.

Mitigation is addressed in KNOWAGE version 8.1.30, as detailed in the GitHub commit f7d0362f737e1b0db1cc9cc95b1236d62d83dd0c and the release comparison between v8.1.29 and v8.1.30. Security practitioners should upgrade to the patched version and review JNDI configurations in affected deployments. Additional details are available in the Knowage documentation at spagobi.readthedocs.io.