What is CVE-2024-28982?

CVE-2024-28982 is a high-severity vulnerability in Hitachi Vantara Pentaho Business Analytics Server, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.1/10. Published 2024-06-26.

How severe is CVE-2024-28982?

High severity. CVSS v3 base score is 7.1 out of 10.

XXE in Hitachi Vantara Pentaho Business Analytics Server

CVE-2024-28982

Hitachi Vantara Pentaho Business Analytics Server versions before 10.1.0.0 and 9.3.0.7, including 8.3.x do not correctly protect the ACL service endpoint of the Pentaho User Console against XML External Entity Reference.

EPSS: 0.002 (45.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H.

Affected products

Hitachi Vantara Pentaho Business Analytics Server — versions 1.0, 8.3

Weakness classification (CWE)

CWE-776 — Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)

References

support.pentaho.com/hc/en-us/articles/27569195609869--Resolved-Hitachi-Vantara-…

Frequently asked questions

What is CVE-2024-28982?: CVE-2024-28982 is a high-severity vulnerability in Hitachi Vantara Pentaho Business Analytics Server, classified under Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion). CVSS score: 7.1/10. Published 2024-06-26.
How severe is CVE-2024-28982?: High severity. CVSS v3 base score is 7.1 out of 10.