Lucene search

HITVANCVE-2023-1158

HistoryMay 24, 2023 - 10:15 p.m.

CVE-2023-1158

2023-05-2422:15:09

CWE-863

HITVAN

web.nvd.nist.gov

hitachi vantara

pentaho

business analytics

server

cve-2023-1158

security vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.

Affected configurations

Nvd

Node

hitachivantara_pentahoRange8.3.0.0–8.3.0.25

hitachivantara_pentaho_business_analytics_serverRange9.3.0.0–9.3.0.3

hitachivantara_pentaho_business_analytics_serverMatch9.4.0.0

VendorProductVersionCPE
hitachivantara_pentaho*cpe:2.3:a:hitachi:vantara_pentaho:*:*:*:*:*:*:*:*
hitachivantara_pentaho_business_analytics_server*cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:*:*:*:*:*:*:*:*
hitachivantara_pentaho_business_analytics_server9.4.0.0cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:9.4.0.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
hitachi	vantara_pentaho	*	cpe:2.3:a:hitachi:vantara_pentaho::::::::
hitachi	vantara_pentaho_business_analytics_server	*	cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server::::::::
hitachi	vantara_pentaho_business_analytics_server	9.4.0.0	cpe:2.3:a:hitachi:vantara_pentaho_business_analytics_server:9.4.0.0:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "Dashboard Plugin"
    ],
    "product": "Pentaho Business Analytics Server",
    "vendor": "Hitachi Vantara",
    "versions": [
      {
        "lessThan": "9.3.0.3",
        "status": "affected",
        "version": "1.0",
        "versionType": "maven"
      },
      {
        "lessThan": "9.4.0.1",
        "status": "affected",
        "version": "9.4.0.0",
        "versionType": "maven"
      }
    ]
  }
]

References

support.pentaho.com/hc/en-us/articles/14456024873741-IMPORTANT-Resolved-Pentaho-BA-Server-Incorrect-Authorization-Versions-before-9-4-0-1-and-9-3-0-3-including-8-3-x-Impacted-CVE-2023-1158-

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

Related for CVE-2023-1158